Certificate templates
Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. The CertificateTemplate
resource includes the following.
- A Common Expression Language (CEL) expression that is evaluated against the requested subject and SANs in all certificate requests that use the template. For more information about using CEL, see Using CEL.
- An allowlist specifying whether the subject and/or subject alternative name can be copied from the end-user request to the issued certificate.
- An optional allowlist specifying which X.509 extensions, if any, can be copied from the end-user request to the issued certificate.
- An optional set of X.509 extension values that are added to all the issued certificates that use the template.
A certificate template can essentially become a full-fledged vertical certificate issuance framework. For more details, see the full CertificateTemplate message definition.
Predefined values in a certificate template
The predefined values in a certificate template are added to all the certificates that use the certificate template. They allow creating common certificate issuance scenarios, such as mTLS or code signing. The values include the following:
- Key usages: Specifies the base key usage for a certificate according to RFC 5280 section 4.2.1.12.
- Extended key usages: Specifies the extended key usage for a certificate according to RFC 5280 section 4.2.1.3.
- If the certificate is a CA: Specifies if the certificate can issue additional certificates or whether it's an end-entity certificate.
- Max issuer path length: In the case of a CA, it specifies the maximum number of CAs that can be chained up to this CA certificate. If the max issuer path length is set to 0, then the CA can only issue end-entity certificates. If it's set to 1, then the chain beneath this CA certificate can include only one subordinate CA. If a value isn't declared, then the number of subordinate CAs in the chain beneath this CA is unbounded.
- AIA OCSP servers: Refers to the OCSP servers in a certificate's Authority Information Access (AIA) extension, as described in RFC 5280 section 4.2.2.1.
- Additional X.509 extensions: Describes custom X.509 extensions.
The following code sample mentions all the predefined fields in a certificate template:
keyUsage:
baseKeyUsage:
digitalSignature: true
keyEncipherment: true
contentCommitment: false
dataEncipherment: false
keyAgreement: false
certSign: false
crlSign: false
encipherOnly: false
decipherOnly: false
extendedKeyUsage:
serverAuth: true
clientAuth: false
codeSigning: false
emailProtection: false
timeStamping: false
ocspSigning: false
caOptions:
isCa: true
maxIssuerPathLength: 1
policyIds:
- objectIdPath:
- 1
- 2
- 3
additionalExtensions:
- objectId:
objectIdPath:
- 1
- 2
- 3
critical: false
value: "base64 encoded extension value"
Values not specified in the YAML are either omitted or defaulted to false
.
The following extensions are omitted if a value isn't specified:
keyUsage
policyIds
additionalExtensions
maxIssuerPathLength
field in thecaOptions
extension
The following extensions default to false
if a value isn't specified:
isCa
field in thecaOptions
extension
What's next
- Learn how to create certificate templates.
- Learn about Common Expression Language.
- Learn how to use Common Expression Language.
- Learn about certificate profiles.