Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. The
CertificateTemplate resource includes the following.
- A Common Expression Language (CEL) expression that is evaluated against the requested subject and SANs in all certificate requests that use the template. For more information about using CEL, see Using CEL.
- An allowlist specifying whether the subject and/or subject alternative name can be copied from the end-user request to the issued certificate.
- An optional allowlist specifying which X.509 extensions, if any, can be copied from the end-user request to the issued certificate.
- An optional set of X.509 extension values that are added to all the issued certificates that use the template.
A certificate template can essentially become a full-fledged vertical certificate issuance framework. For more details, see the full CertificateTemplate message definition.
Predefined values in a certificate template
The predefined values in a certificate template are added to all the certificates that use the certificate template. They allow creating common certificate issuance scenarios, such as mTLS or code signing. The values include the following:
- Key usages: Specifies the base key usage for a certificate according to RFC 5280 section 126.96.36.199.
- Extended key usages: Specifies the extended key usage for a certificate according to RFC 5280 section 188.8.131.52.
- If the certificate is a CA: Specifies if the certificate can issue additional certificates or whether it's an end-entity certificate.
- Max issuer path length: In the case of a CA, it specifies the maximum number of CAs that can be chained up to this CA certificate. If the max issuer path length is set to 0, then the CA can only issue end-entity certificates. If it's set to 1, then the chain beneath this CA certificate can include only one subordinate CA. If a value isn't declared, then the number of subordinate CAs in the chain beneath this CA is unbounded.
- AIA OCSP servers: Refers to the OCSP servers in a certificate's Authority Information Access (AIA) extension, as described in RFC 5280 section 184.108.40.206.
- Additional X.509 extensions: Describes custom X.509 extensions.
The following code sample mentions all the predefined fields in a certificate template:
keyUsage: baseKeyUsage: digitalSignature: true keyEncipherment: true contentCommitment: false dataEncipherment: false keyAgreement: false certSign: false crlSign: false encipherOnly: false decipherOnly: false extendedKeyUsage: serverAuth: true clientAuth: false codeSigning: false emailProtection: false timeStamping: false ocspSigning: false caOptions: isCa: true maxIssuerPathLength: 1 policyIds: - objectIdPath: - 1 - 2 - 3 additionalExtensions: - objectId: objectIdPath: - 1 - 2 - 3 critical: false value: "base64 encoded extension value"
Values not specified in the YAML are either omitted or defaulted to
The following extensions are omitted if a value isn't specified:
maxIssuerPathLengthfield in the
The following extensions default to
false if a value isn't specified:
isCafield in the
- Learn how to create certificate templates.
- Learn about Common Expression Language.
- Learn how to use Common Expression Language.
- Learn about certificate profiles.