|
| 1 | +# Profiles (or issuance profiles) |
| 2 | + |
| 3 | +Profiles are used to define rules and settings for specific types of certificate requests and orders in ACME-ADCS via `appsettings.Production.json`. |
| 4 | +There are essentially two ways to select a profile: |
| 5 | + 0. via the `profile` query parameter in the ACME client request |
| 6 | + 0. by the ACME-ADCS server, based on the identifiers used in the certificate order |
| 7 | + |
| 8 | +A profile contains the supported identifier types, validation rules and the settings for issuing certificates. |
| 9 | +The following profile would allow issuing DNS and IP certificates for any account, without any special restrictions: |
| 10 | + |
| 11 | +```json |
| 12 | + "Profiles": { |
| 13 | + // A sample for a DNS and IP profile, the name 'default' is arbitrary, you can choose any name you like. |
| 14 | + "Default": { |
| 15 | + "SupportedIdentifiers": [ "dns", "ip" ], |
| 16 | + |
| 17 | + "ADCSOptions": { |
| 18 | + "CAServer": "CA.FQDN.com\\CA Name", |
| 19 | + "TemplateName": "Default-ACME-Template" |
| 20 | + } |
| 21 | + } |
| 22 | + } |
| 23 | +``` |
| 24 | + |
| 25 | +A profile for device-attest-01 challenges could look like this: |
| 26 | +Device-Attest-01 is a little bit more involved, since it allows remote validation via an [POST reqeuest](./AboutDeviceAttest.md) and needs to be configured with the Apple root certificate. |
| 27 | +Currently, the device-attest-01 challenge is not standardized, so this profile is experimental and may change in the future - also it only supports the Apple device-attest-01 challenges. |
| 28 | + |
| 29 | +If you are interested in android support or tpm support, please open an issue on the GitHub repository. |
| 30 | + |
| 31 | +```json |
| 32 | + "Profiles": { |
| 33 | + "DeviceAttestProfile": { |
| 34 | + "SupportedIdentifiers": [ "permanent-identifier" ], |
| 35 | + "RequireExternalAccountBinding": true, |
| 36 | + "IdentifierValidation": { |
| 37 | + "PermanentIdentifier": { |
| 38 | + "ValidationRegex": "^[a-zA-Z0-9]{32,64}$" |
| 39 | + } |
| 40 | + }, |
| 41 | + "ChallengeValidation": { |
| 42 | + "DeviceAttest01": { |
| 43 | + "RemoteValidationUrl": "https://device-attest-validation.example.com", |
| 44 | + "Apple": { |
| 45 | + "RootCertificates": [ |
| 46 | + "MIICJDCC...gN/r" |
| 47 | + ] |
| 48 | + } |
| 49 | + } |
| 50 | + }, |
| 51 | + "ADCSOptions": { |
| 52 | + "CAServer": "CA.FQDN.com\\CA Name", |
| 53 | + "TemplateName": "Device-Attest-Template" |
| 54 | + } |
| 55 | + } |
| 56 | + } |
| 57 | +``` |
0 commit comments