Knowledge Base
How to configure Domain Policies for Certificate Enrollment
Overview
Domain policies define the rules for issuing certificates, including the types of domain names and IP addresses allowed. These policies ensure that certificates are only issued to approved entities and follow organizational naming conventions.
Policy Components
1. FQDN (Fully Qualified Domain Name)
- Format:
hostname.domain.tld(e.g.,server1.corp.net) - Policy Role:
- Restricts certificate issuance to approved FQDNs.
- Used in the Subject Name (CN) or Subject Alternative Name (SAN) fields.
2. Hostname
- Format: Short name of a device (e.g.,
server1,mail,router) - Policy Role:
- Typically combined with domain suffixes (e.g.,
hostname + .corp.net). - Helps enforce consistent naming across devices.
- Typically combined with domain suffixes (e.g.,
3. IP Addresses
- Format: IPv4 or IPv6 (e.g.,
192.168.1.1,2001:db8::1) - Policy Role:
- Must be explicitly allowed in the policy (often disabled by default).
- Commonly used for internal PKI or IoT device certificates.
4. Wildcard Domains
- Format: Covers all subdomains under a domain (e.g.,
*.corp.net) - Policy Role:
- Must be explicitly permitted.
- Often restricted to internal domains (e.g.,
*.internal.corp.netis allowed, but*.comis not).
🛠️ Troubleshooting Tips
If certificate enrollment fails due to domain policy restrictions, consider the following:
✅ Check the Certificate Request Format
- Ensure the Subject Name (CN) and SAN entries match the allowed formats (e.g., FQDN, hostname).
- Avoid using unsupported wildcards or IP addresses unless explicitly permitted.
🔍 Review SCM Policy Settings
- Confirm that the domain policy includes the required domain suffixes and IP address formats.
- Check if wildcard domains are enabled for the requested domain.
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
