Skip to main content

Certificate templates

Certificate templates simplify certificate generation by preconfiguring allowable certificate fields and values. You can limit certificate types, signature algorithms, set default a algorithm, specify which certificate fields are optional or mandatory, specify how long certificates can remain valid, and more. Certificate templates are mandatory to create certificate profiles.

If you host the DigiCert ONE® platform in-house:

  • System users can create, edit and view certificate templates.

  • Account users can only view certificate templates.

If you use DigiCert ONE hosted by DigiCert:

  • You can view certificate templates.

  • You cannot create or edit certificate templates.

Create certificate template

Nota

Certificate templates are mandatory and are generally created and updated by Technical support. However, if DigiCert ONE is hosted in-house, the certificate template can be created by a system scope admin with the Manage certificate template permission.

To create a certificate template:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Certificates > Certificate templates.

  4. Select Create certificate template.

Complete these fields:

tabla 1. Certificate template requirements

Field

Description

Template name

Name to uniquely identify this certificate template.

Template body

Set parameters for certificates.

Nota

You can limit certificate types, signature algorithms, set default a algorithm, specify which certificate fields are optional or mandatory, specify how long certificates can remain valid, and more. To see an example including all available options see Template body example.

Template category

Select Production or Test.

Template scope

Enable System to apply this template for all accounts.

Enable Limited to apply this template to specific accounts.


Certificate template body example

The sample below contains all possible fields and values for a certificate template.

  1. Copy and paste the sample below into the Template body field.

  2. Remove any values or fields that do not meet your requirements.

  3. For test certificate templates ensure that the validity unit is set to "days".

Sample

{  
"issue_types": [  
"code_signing"  
],  
"cert_type": "end_entity",  
"signature_algorithm": {  
"allowed_algorithms": [  
"sha1WithRSA",  
"sha256WithRSA",  
"sha384WithRSA",  
"sha512WithRSA",  
"sha256WithECDSA",  
"sha384WithECDSA",  
"sha512WithECDSA",  
"match_issuer"  
],  
"default_algorithm": "match_issuer"  
},  
"subject": {  
"attributes": [  
{  
"type": "common_name",  
"include": "optional",  
"allowed_source": [  
"csr"  
]  
},  
{  
"type": "organization_name",  
"include": "optional",  
"allowed_source": [  
"csr"  
]  
},  
{  
"type": "organization_unit",  
"include": "optional",  
"allowed_source": [  
"fixed_value"  
]  
},  
{  
"type": "street_address",  
"include": "optional",  
"allowed_source": [  
"csr"  
]  
},  
{  
"type": "postal_code",  
"include": "optional",  
"allowed_source": [  
"csr"  
]  
},  
{  
"type": "locality",  
"include": "optional",  
"allowed_source": [  
"csr"  
]  
},  
{  
"type": "state",  
"include": "optional",  
"allowed_source": [  
"csr"  
]  
},  
{  
"type": "country",  
"allowed_source": [  
"csr"  
]  
}  
]  
},  
"extensions": {  
"key_usage": {  
"critical": true,  
"allow_critical_override": false,  
"required_usages": {  
"rsa": [  
"digital_signature",  
"non_repudiation",  
"key_encipherment"  
],  
"ecdsa": [  
"digital_signature",  
"non_repudiation"  
]  
}  
},  
"extended_key_usage": {  
"critical": true,  
"allow_critical_override": false,  
"required_usages": [  
"code_signing",  
"client_authentication"  
]  
}  
},  
"validity": {  
"min_duration": {  
"value": 1,  
"unit": "years"  
},  
"max_duration": {  
"value": 25,  
"unit": "years"  
},  
"default_duration": {  
"min": {  
"value": 1,  
"unit": "years"  
},  
"max": {  
"value": 25,  
"unit": "years"  
}  
}  
}  
}