Domain Trust Profiles
A Domain Trust Profile (DTP) is the core policy object in CertForge. It defines the rules that govern certificate issuance for a set of domains: which Certificate Authority to use, whether human approval is required, who is allowed to request certificates, and which environments are permitted. Every certificate request is matched against a DTP before anything is issued.What a DTP controls
Domain matching
Domains in a DTP support wildcard prefixes:
A request must match exactly one DTP. If a request’s domains span multiple DTPs, it is rejected.
Approval workflow
When Require approval is enabled on a DTP, the flow is:admin or operator role in the organization, or any user explicitly granted access to the DTP.
Escalation
When a request remains pending past the configured thresholds, CertForge takes the following actions:
Escalated requests show an escalation badge on the Approvals page.
DNS account linking
For ACME-backed DTPs, each profile can reference a specific DNS account to use when solving DNS-01 challenges. This allows different profiles to use different DNS provider credentials, even across zones or accounts. DNS accounts are configured in Admin → DNS Accounts. Once created, select the account in the DTP’s DNS settings.Max validity days
When using an internal CA, you can cap the maximum certificate lifetime on the DTP. Requests for longer validity are capped at this value. ACME CAs (Let’s Encrypt, ZeroSSL) always issue certificates with a maximum validity of 90 days regardless of this setting.Compliance framework assignment
Assigning a compliance framework to a DTP enforces that framework’s policy requirements on all certificates issued under the profile. Active frameworks (SOC 2, ISO 27001, PCI-DSS, HIPAA) set requirements such as mandatory approval reasons and maximum certificate validity. See Compliance for details.DTP permissions
You can grant individual users access to a DTP with a specific role:
DTP-level permissions are additive on top of org-level roles.
Creating a DTP
Dashboard: Admin → Domain Trust Profiles → New Required fields:- Name
- At least one domain pattern
- Certificate Authority
- Approval required (recommended for production domains)
- Environment restrictions
- Escalation thresholds and contacts
- DNS account (required for ACME DNS-01)
- Max validity days (internal CAs only)
- Compliance framework assignment
- Per-user DTP role grants