Free Trial
Contact Us

Knowledge Base

Knowledge Base

How to configure Domain Policies for Certificate Enrollment?

Updated on March 2, 2026

How to Configure Domain Policy Rules for Certificate Enrollment 

Overview 

This guide provides the step-by-step process for understanding and applying domain policy requirements when issuing certificates. It explains how to work with FQDNs, hostnames, IP addresses, and wildcard domains to ensure that certificate requests align with organizational rules and avoid enrollment failures. 
 
Use Cases 

Domain policies are commonly used for: 

  1. Controlling certificate issuanceensuring only approved FQDNs, hostnames, and SANs are used so that certificates match organizational naming rules. 

  1. Strengthening PKI governancerestricting or allowing elements like wildcard domains or IP addresses depending on security requirements. 

  1. Preventing enrollment failuresensuring certificate requests do not violate domain rules before submission. 

  1. Maintaining consistency across infrastructureusing standardized hostnames and domain structures. 

Prerequisites 

Before you begin, ensure you have the following: 

  • Access to your Certificate Authority (CA) or certificate enrollment tool 

  • Knowledge of your organization’s approved domain formats and naming standards 

  • Required permissions to review or modify domain policy settings 

Key Components 

Fully Qualified Domain Name (FQDN) 

Format: hostname.domain.tld (e.g., server1.corp.net) 

Role: Serves as a primary identifier for devices and must match approved formats for certificate issuance. 
 

Hostname 

Format: Short device name (e.g., server1, router) 

Role: Frequently combined with domain suffixes to maintain consistent device naming. 
 

IP Addresses 

Format: IPv4 or IPv6 (e.g., 192.168.1.1, 2001:db8::1) 

Role: May be included in SAN fields but are usually disabled unless explicitly allowed. 
 

Wildcard Domains 

Format: *.domain.tld (e.g., *.corp.net) 

Role: Must be explicitly permitted and are often restricted to internal domains only. 
 
Steps to configure domain policies for certificate enrollment 

Step 1: Review Approved FQDN Formats 

Verify that the Fully Qualified Domain Name (FQDN) used in the certificate request follows organizational standards. 
FQDNs should follow the format hostname.domain.tld (e.g., server1.corp.net). These values are typically used in the Subject Name (CN) or Subject Alternative Name (SAN) fields. 

Step 2: Validate Hostname Usage 

Check that the hostname complies with internal naming requirements. 
Hostnames should be short, device‑specific names (e.g., server1, mail, router) and are often combined with approved domain suffixes such as hostname.corp.net. 

Step 3: Confirm IP Address Permissions 

If your certificate requires an IP address in the SAN field, ensure IP addresses are explicitly allowed by your domain policy. 
The entry MUST contain the IPv4 or IPv6 address that the CA has confirmed the Applicant controls or has been granted the right to use through a method specified. The entry MUST NOT contain a Reserved IP Address. 

Step 4: Check Wildcard Domain Rules 

Determine whether wildcard domains are permitted within your environment. 
Wildcard entries (e.g., *.corp.net) must be explicitly enabled. Many organizations restrict them only to internal domains, such as *.internal.corp.net, while blocking external wildcards like *.com. 
 
Troubleshooting 

Validate Certificate Request Formatting 

  • Ensure the information in your certificate request follows all domain rules: 

  • CN and SAN fields must match approved domain patterns 

  • Avoid using wildcards or IP addresses unless explicitly allowed 

Review SCM or Domain Policy Settings (if enrollment fails) 

If certificate enrollment is unsuccessful: 

  • Check domain policy settings related to allowed suffixes and formats 

  • Confirm whether wildcard domains or IP addresses are enabled 

  • Update policy configurations if necessary and retry the request 
     
     

 

Verification 

To confirm that the process was successful: 

  • Submit a certificate request and verify that it is issued without domain policy errors 

  • Open the issued certificate and confirm that the CN and SAN fields match the expected formats (e.g., valid FQDNs, approved hostnames, permitted IP addresses) 

  • Ensure there are no warnings or rejections related to domain naming rules 

  • Related Articles:  
    Tags:  

 

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources