Overview
Issuance profiles define reusable templates for certificate issuance. They control certificate validity periods, key usage constraints, subject handling, and cryptographic requirements.
List Issuance Profiles
Retrieve a paginated list of all issuance profiles.
Query Parameters
Number of results per page
Pagination cursor from previous response
Filter expression (e.g., sign_as_ca[eq]=true)
Response
Array of issuance profile objectsCertificate validity configurationValidity type: Duration or Time
Human-readable duration (e.g., 1y, 90d)
Whether certificates should be marked as CA certificates
Array of extended key usage OIDs
Whether to honor key usage from CSR
honor_extended_key_usages
Whether to honor extended key usages from CSR
Whether to honor subject from CSR
Default subject values to use if not honoring CSR
Whether to honor extensions from CSR
Cryptographic algorithm enforcement settingsWhether crypto enforcement is enabled
Whether RSA keys are allowed
Allowed RSA key sizes (e.g., [2048, 4096])
Whether ECDSA keys are allowed
Allowed ECDSA key sizes (e.g., [256, 384])
Pagination bookmark for next page
Example Request
curl -X GET "https://your-domain.com/api/ca/v1/profiles" \
-H "Authorization: Bearer <token>"
Example Response
{
"list": [
{
"id": "iot-device-profile",
"name": "IoT Device Certificate Profile",
"description": "Standard profile for IoT device certificates",
"validity": {
"type": "Duration",
"duration": "1y"
},
"sign_as_ca": false,
"honor_key_usage": false,
"key_usage": {
"digital_signature": true,
"key_encipherment": true
},
"honor_extended_key_usages": false,
"extended_key_usages": [
"1.3.6.1.5.5.7.3.1",
"1.3.6.1.5.5.7.3.2"
],
"honor_subject": true,
"honor_extensions": false,
"crypto_enforcement": {
"enabled": true,
"allow_rsa_keys": true,
"allowed_rsa_key_sizes": [2048, 4096],
"allow_ecdsa_keys": true,
"allowed_ecdsa_key_sizes": [256, 384]
}
}
],
"next": ""
}
Get Issuance Profile
Retrieve a specific issuance profile by ID.
Path Parameters
Issuance profile identifier
Example Request
curl -X GET "https://your-domain.com/api/ca/v1/profiles/iot-device-profile" \
-H "Authorization: Bearer <token>"
Create Issuance Profile
Create a new issuance profile.
Request Body
Unique profile identifier
Certificate validity configurationValidity type: Duration or Time
Human-readable duration (e.g., 1y, 90d) - required if type is Duration
Expiration timestamp (ISO 8601) - required if type is Time
Whether to sign certificates as CA certificates
Whether to honor key usage from CSR
X.509 key usage flags (if not honoring CSR)Example:{
"digital_signature": true,
"key_encipherment": true,
"data_encipherment": false
}
honor_extended_key_usages
Whether to honor extended key usages from CSR
Array of extended key usage OIDs (if not honoring CSR)Common values:
1.3.6.1.5.5.7.3.1 - TLS Web Server Authentication1.3.6.1.5.5.7.3.2 - TLS Web Client Authentication1.3.6.1.5.5.7.3.3 - Code Signing
Whether to honor subject from CSR
Default subject values (if not honoring CSR) Whether to honor extensions from CSR
Cryptographic algorithm enforcementEnable crypto enforcement
Allowed RSA key sizes in bits (e.g., [2048, 4096])
Allowed ECDSA key sizes in bits (e.g., [256, 384, 521])
Response
Returns the created issuance profile object.
Example Request
curl -X POST "https://your-domain.com/api/ca/v1/profiles" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"id": "web-server-profile",
"name": "Web Server Certificate Profile",
"description": "Profile for TLS server certificates",
"validity": {
"type": "Duration",
"duration": "90d"
},
"sign_as_ca": false,
"honor_key_usage": false,
"key_usage": {
"digital_signature": true,
"key_encipherment": true
},
"honor_extended_key_usages": false,
"extended_key_usages": [
"1.3.6.1.5.5.7.3.1"
],
"honor_subject": true,
"honor_extensions": false,
"crypto_enforcement": {
"enabled": true,
"allow_rsa_keys": true,
"allowed_rsa_key_sizes": [2048, 4096],
"allow_ecdsa_keys": true,
"allowed_ecdsa_key_sizes": [256, 384]
}
}'
Update Issuance Profile
Update an existing issuance profile.
Path Parameters
Issuance profile identifier
Request Body
Same as Create Issuance Profile.
Example Request
curl -X PUT "https://your-domain.com/api/ca/v1/profiles/web-server-profile" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"id": "web-server-profile",
"name": "Web Server Certificate Profile (Updated)",
"description": "Updated profile for TLS server certificates",
"validity": {
"type": "Duration",
"duration": "180d"
},
"sign_as_ca": false,
"honor_subject": true
}'
Delete Issuance Profile
Delete an issuance profile.
Path Parameters
Issuance profile identifier
Response
Returns 204 No Content on successful deletion.
Example Request
curl -X DELETE "https://your-domain.com/api/ca/v1/profiles/old-profile" \
-H "Authorization: Bearer <token>"
Profile Configuration Examples
CA Certificate Profile
For issuing intermediate CA certificates:
{
"id": "intermediate-ca-profile",
"name": "Intermediate CA Profile",
"validity": {
"type": "Duration",
"duration": "5y"
},
"sign_as_ca": true,
"honor_key_usage": false,
"key_usage": {
"cert_sign": true,
"crl_sign": true
},
"honor_subject": false,
"subject": {
"organization": "Lamassu IoT",
"country": "US"
}
}
IoT Device Profile
For short-lived device certificates:
{
"id": "iot-device-short",
"name": "IoT Device (30 days)",
"validity": {
"type": "Duration",
"duration": "30d"
},
"sign_as_ca": false,
"honor_subject": true,
"crypto_enforcement": {
"enabled": true,
"allow_rsa_keys": true,
"allowed_rsa_key_sizes": [2048],
"allow_ecdsa_keys": true,
"allowed_ecdsa_key_sizes": [256]
}
}
Code Signing Profile
For software signing certificates:
{
"id": "code-signing-profile",
"name": "Code Signing Certificate",
"validity": {
"type": "Duration",
"duration": "3y"
},
"sign_as_ca": false,
"honor_key_usage": false,
"key_usage": {
"digital_signature": true
},
"honor_extended_key_usages": false,
"extended_key_usages": [
"1.3.6.1.5.5.7.3.3"
],
"crypto_enforcement": {
"enabled": true,
"allow_rsa_keys": true,
"allowed_rsa_key_sizes": [3072, 4096]
}
}
