What are Issuance Profiles?
An Issuance Profile is a named configuration that specifies which CA to use when issuing a certificate. It is assigned to one or more Domain Trust Profiles (DTPs). This separation exists so that:- The CA connection and product type are configured once and reused across many DTPs
- DTPs can focus on governance policy (who can request, approval rules, domain scope) without duplicating CA configuration
- A DTP with no Issuance Profile is governance-only — it tracks, monitors, and alerts on certificates but never issues them
The relationship between DTPs and Issuance Profiles
Governance-only DTPs
A DTP with no Issuance Profile assigned will:- Accept discovered certs into its governance scope
- Evaluate those certs against its policy rules (wildcard, EKU, validity)
- Fire expiry alerts for tracked certs
- Track certs in the dashboard “Tracked” and “Ungoverned” KPIs
Setting up an Issuance Profile
- Go to Admin → Issuance Profiles
- Click New Profile
- Enter:
- ID — a slug used to reference this profile (e.g.
digicert-ov,internal-prod) - Name — human-readable display name
- CA — select the Certificate Authority to use for issuance
- Description — optional notes
- ID — a slug used to reference this profile (e.g.
- Click Create
Assigning an Issuance Profile to a DTP
- Go to Admin → Domain Trust Profiles
- Edit the DTP
- In the Issuance Profile section, select one or more profiles from the list
- Optionally set a Default Issuance Profile — used when the requestor doesn’t specify one
- Click Update Profile
Common patterns
One CA, many DTPs Create one Issuance Profile for your internal CA. Assign it to all internal-domain DTPs. Change the CA once if your infrastructure changes, without touching each DTP. Mixed CAs by environmentinternal-ca-devIssuance Profile → dev and staging DTPsdigicert-ov-prodIssuance Profile → production DTPs