policy.path in broker.yml). It defines named profiles (the shape of a certificate request) and hosts (which identities may request which profiles).
The authoritative schema is schemas/policy.schema.json.
Minimum policy
Top-level keys
| Key | Required | Notes |
|---|---|---|
version | no | Must equal 1 if set. Reserved for future migrations. Default: 1. |
profiles | yes | Map of profile name → profile definition. At least one profile. |
hosts | yes | Map of host label → host definition. At least one host. |
additionalProperties: false).
How a request is authorized
When an agent callsPOST /v1/certificates:
- The broker reads the CN of the client certificate (the agent’s identity).
- It looks up that identity in
hosts.<label>.identity. If no host entry has a matching identity, the request is denied. - The requested
profile(from the JSON body) must appear in that host’sprofileslist. - The CSR’s DNS names must satisfy the profile’s
dns_namesrules — wildcard profiles require the SANs to fall under the configured wildcard label;multi_sanprofiles require the SANs to be exactly drawn from the allowed list. - If all checks pass, the broker serves a cached bundle or issues via ACME.
Hot reload
Setpolicy.watch: true in broker.yml to reload the policy when the file changes on disk. The broker logs the new policy hash so you can correlate reloads with the audit stream.