Overview of certificate templates and issuance policies

This page provides an overview of implementing policy controls in Certificate Authority Service using certificate templates, issuance policies, and certificate name constraints.

Policy controls enable you to control the type of certificates that your certificate authority (CA) pool can issue. Policy controls are of two types: coarse-grained and fine-grained. Coarse-grained policies apply CA pool-specific constraints. Fine-grained policies determine the operations a particular user can perform on a CA pool.

Certificate templates

You can use a certificate template when you have a well-defined certificate issuance scenario. You can use certificate templates to enable consistency across certificates issued from different CA pools. You can also use a certificate template to restrict the kinds of certificates that different individuals can issue.

For information about certificate templates, see Create a certificate template.

Certificate issuance policies

A CA Manager can attach a certificate issuance policy to a CA pool to define restrictions on the kind of certificates that the CAs in the CA pool can issue. An issuance policy can define restrictions on certificate identities, certificate lifetimes, key types, certificate request modes, and X.509 extensions. The issuance policy can also contain a set of X.509 extensions that are applied to all incoming certificate requests.

Issuance policies let you apply certain restrictions on the entire CA pool. For example, you can use an issuance policy to enforce the following conditions:

  • All issued certificates have O=My organization in their subject.
  • All DNS names end with .my-org-domain.com.
  • The CA pool can only issue Server TLS certificates.

If one or both of the following cases apply, we recommend using a certificate issuance policy:

  1. Your CA pool is intended to issue certificates according to a single, well-defined profile.
  2. You want to define a common baseline for X.509 extensions and additional restrictions that apply to all the certificate issuance profiles.

For more information about issuance policies, see Add a certificate issuance policy to a CA pool.

CA certificate name constraints

CAS enforce name constraints in CA certificates as defined in the RFC 5280 name constraints section. It lets you control which names are permitted or excluded in certificates issued from CAs.

For example, you can create a CA with name constraints to enforce the following conditions:

  • Only my-org-domain.com and its subdomains can be used as DNS names.
  • untrusted-domain.com and its subdomains are prohibited as DNS names.

Name constraints are for CA certificate. They can only be specified during CA creation and can't be updated later.

Policy conflicts

When using different policy control mechanisms in conjunction, there is a possibility that policies on different levels can conflict. This section describes how policy controls get enforced and provides guidance on avoiding policy conflicts.

Policy enforcement

When requesting certificates, policy controls are evaluated at different layers.

IAM conditional bindings for request attributes are evaluated first to ensure the caller has the required permissions for creating certificates or using certificate templates.

During certificate creation the CA pool and the certificate template issuance policy are validated against the normalized certificate request. X.509 extensions from the CA pool's certificate issuance policy and the certificate template are added to the certificate, and certain values can be dropped based on those same policies.

Before signing the certificate, name constraints in CA certificates are validated against the certificate to ensure the subject is compliant.

Issuance policy conflicts

The following is a non-comprehensive list of errors where the issuance policy of a certificate template can conflict with the issuance policy of a CA pool.

  • A certificate template contains predefined values that are prohibited by the CA pool.
  • A certificate template contains different X.509 values than the CA pool baseline values.

In all these cases, the API returns an invalid argument error.

CEL conflicts

CEL provides the ability to implement diverse expressions. There can be situations where the CEL expressions on the CA pool's issuance policy and on the certificate template conflict. These conflicts disallow certificates to be issued from the CA pool. For example, consider the situation that a CA pool had a CEL expression enforcing the common name of a certificate to end in .example.com and the certificate template had a CEL expression enforcing the common name of a certificate to end in .example.net. Since these two CEL expressions place different restrictions on the same field, all certificate issuance requests fail.

If you are using both certificate issuance policies and certificate templates, we recommend that you ensure that their CEL expressions don't conflict.

What's next