Certificate templates

Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. The CertificateTemplate resource includes the following.

  1. A Common Expression Language (CEL) expression that is evaluated against the requested subject and SANs in all certificate requests that use the template. For more information about using CEL, see Using CEL.
  2. An allowlist specifying whether the subject and/or subject alternative name can be copied from the end-user request to the issued certificate.
  3. An optional allowlist specifying which X.509 extensions, if any, can be copied from the end-user request to the issued certificate.
  4. An optional set of X.509 extension values that are added to all the issued certificates that use the template.

A certificate template can essentially become a full-fledged vertical certificate issuance framework. For more details, see the full CertificateTemplate message definition.

Predefined values in a certificate template

The predefined values in a certificate template are added to all the certificates that use the certificate template. They allow creating common certificate issuance scenarios, such as mTLS or code signing. The values include the following:

  • Key usages: Specifies the base key usage for a certificate according to RFC 5280 section 4.2.1.12.
  • Extended key usages: Specifies the extended key usage for a certificate according to RFC 5280 section 4.2.1.3.
  • If the certificate is a CA: Specifies if the certificate can issue additional certificates or whether it's an end-entity certificate.
  • Max issuer path length: In the case of a CA, it specifies the maximum number of CAs that can be chained up to this CA certificate. If the max issuer path length is set to 0, then the CA can only issue end-entity certificates. If it's set to 1, then the chain beneath this CA certificate can include only one subordinate CA. If a value isn't declared, then the number of subordinate CAs in the chain beneath this CA is unbounded.
  • AIA OCSP servers: Refers to the OCSP servers in a certificate's Authority Information Access (AIA) extension, as described in RFC 5280 section 4.2.2.1.
  • Additional X.509 extensions: Describes custom X.509 extensions.

The following code sample mentions all the predefined fields in a certificate template:

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    keyEncipherment: true
    contentCommitment: false
    dataEncipherment: false
    keyAgreement: false
    certSign: false
    crlSign: false
    encipherOnly: false
    decipherOnly: false
  extendedKeyUsage:
    serverAuth: true
    clientAuth: false
    codeSigning: false
    emailProtection: false
    timeStamping: false
    ocspSigning: false
caOptions:
  isCa: true
  maxIssuerPathLength: 1
policyIds:
- objectIdPath:
  - 1
  - 2
  - 3
additionalExtensions:
- objectId:
    objectIdPath:
    - 1
    - 2
    - 3
  critical: false
  value: "base64 encoded extension value"

Values not specified in the YAML are either omitted or defaulted to false.

The following extensions are omitted if a value isn't specified:

  • keyUsage
  • policyIds
  • additionalExtensions
  • maxIssuerPathLength field in the caOptions extension

The following extensions default to false if a value isn't specified:

  • isCa field in the caOptions extension

What's next