Policy Bindings

Policy bindings connect issuance policies to authorities. They define which ADCS backend(s) handle certificate requests for a given policy, and the selection strategy when multiple authorities are available.

Configuration

policy-bindings:
  - policy: corp-server
    authorities:
      - ca1
      - ca2
    strategy: first_available

Fields

Field	Default	Description
`policy`	—	Name of the issuance policy
`authorities`	—	List of authority names to use for this policy
`strategy`	`first_available`	Selection strategy when multiple authorities are listed

Strategies

`first_available`

Certeasy tries the first authority. If it fails (unreachable, error), it moves to the next. This provides failover.

strategy: first_available

Use this when you have a primary CA and a backup.

`round_robin`

Certeasy distributes requests evenly across all listed authorities. This provides load balancing.

strategy: round_robin

Use this when you have multiple equivalent CAs and want to spread load.

Implicit Binding

If policy-bindings is omitted entirely and the configuration has exactly one issuance policy and one authority, Certeasy creates an implicit binding:

policy → the only issuance policy
authorities → the only authority
strategy → first_available

This simplifies minimal configurations. As soon as you add a second policy or a second authority, you must declare bindings explicitly.

Multiple Policies Example

policy-bindings:
  - policy: corp-servers
    authorities:
      - adcs-primary
      - adcs-backup
    strategy: first_available

  - policy: dmz-servers
    authorities:
      - adcs-dmz
    strategy: first_available

Validation Rules

At startup, Certeasy verifies:

Every issuance policy has exactly one binding
Every authority referenced in a binding exists
No dangling or duplicate bindings

Configuration​

Fields​

Strategies​

first_available​

round_robin​

Implicit Binding​

Multiple Policies Example​

Validation Rules​