Purpose of "enrollment" field in the fabric-ca-client-config.yaml configuration file for Hyperledger Fabric CA Clients

Question

What is the purpose of the enrollment field in fabric-ca-client-config.yaml?

The field breaks down into profile and label. I can't find any explanation for the usage of either field anywhere. The file itself states that profile is the "Name of the signing profile to use in issuing the certificate". Sadly this information does not help since "signing profile" is not defined.

From fabric-ca-client-config.yaml:

#  Enrollment section used to enroll an identity with fabric-ca server
#
#  profile - Name of the signing profile to use in issuing the certificate
#  label - Label to use in HSM operations

enrollment:
  profile:
  label:

Answer 1

A Fabric CA server can be configured with multiple profiles. By default, on the latest version of the CA there are 3 profiles:

signing:
default:
  usage:
    - digital signature
  expiry: 8760h
profiles:
  ca:
     usage:
       - cert sign
       - crl sign
     expiry: 43800h
     caconstraint:
       isca: true
       maxpathlen: 0
  tls:
     usage:
        - signing
        - key encipherment
        - server auth
        - client auth
        - key agreement
     expiry: 8760h

Each profile will generate a certificate with different key usages, expiration dates, etc. So during enrollment time, a client can specify which profile to enroll against. For instance, if you want to get back TLS certificate, you would enroll against the 'tls' profile. If you are enrolling as intermediate CA, you would enroll against the 'ca' profile.

The label property does not have much usage besides that it provides a label to this certificate in the database.