Skip to main content
A profile defines a kind of certificate the broker may issue. Profile names are referenced by hosts (in policy) and by the agent (in agent.yml’s certificates[].profile).
profiles:
  public_edge_main:
    type: wildcard
    dns_names:
      - "*.example.com"
    acme:
      challenge: dns-01
      credentials: cloudflare/example-com
    renew_before: 720h

  api_san:
    type: multi_san
    dns_names:
      - api.example.com
      - api-v2.example.com
    acme:
      challenge: http-01

Fields

FieldTypeRequiredNotes
typeenum: wildcard, multi_sanyes
dns_namesstring[]yesAllowed DNS names. Non-empty.
acme.challengeenum: dns-01, http-01yesWildcard profiles require dns-01.
acme.credentialsstringfor dns-01Secret reference resolved by the broker’s secrets provider.
renew_beforedurationno (default 720h)When the broker considers a cached cert “due” for renewal.
The schema rejects unknown fields per profile (additionalProperties: false).

type: wildcard

For *.zone certificates.
  • dns_names must contain exactly one entry of the form *.<zone>.
  • acme.challenge must be dns-01 (Let’s Encrypt does not allow http-01 for wildcards).
  • acme.credentials is required and resolves to your DNS provider credential.
The agent’s CSR must request a SAN whose host label sits under the same wildcard zone.
public_edge_main:
  type: wildcard
  dns_names:
    - "*.example.com"
  acme:
    challenge: dns-01
    credentials: cloudflare/example-com

type: multi_san

For certificates with a fixed list of SANs.
  • dns_names lists every SAN the profile may include.
  • acme.challenge may be dns-01 or http-01.
  • acme.credentials is required for dns-01.
  • The agent’s CSR SANs must be a subset of dns_names.
api_san:
  type: multi_san
  dns_names:
    - api.example.com
    - api-v2.example.com
  acme:
    challenge: http-01

renew_before

This is the broker-side renewal window. When an agent asks for a cached certificate and the cache entry is within renew_before of expiry, the broker requests a fresh certificate from ACME instead of returning the cached one. Agents have their own renew_before in agent.yml — they should be roughly equal to avoid an agent asking too late. Common values: 720h (30 days) for 90-day Let’s Encrypt certificates.

Credential references

The acme.credentials string is opaque to the policy compiler. It is interpreted by the configured secrets provider in broker.yml:
ProviderInterpretation of acme.credentials
envEnvironment variable name.
filePath to a file on the broker.
vault / openbaoVault path under mount_path.
See Secrets providers and Vault and OpenBao secrets.