Skip to main content

Certificate template

Certificate templates standardize the attributes of certificates issued to devices by defining core elements that must be present in each certificate. This consistency ensures that certificates meet technical, security, and regulatory requirements.

Useful certificate template attributes

The table below outlines some of the more useful attributes defined by certificate templates:

Tabela 1. Useful certificate template attributes

Attribute

Description

Key types and signature algorithms

Specify allowed key types, such as RSA or ECC, and signature algorithms.

Subject Distinguished Name (DN) fields

Define required fields in the Subject DN, such as common name (CN), organizational unit (OU), or country (C).

Validity period range

Set the minimum and maximum validity periods for certificates.

Certificate extensions

Define required or optional extensions, such as key usage or extended key usage (EKU).


Certificate templates and certificate profiles

While a certificate template defines the core structure and constraints for certificates, a certificate profile further customizes these settings based on the requirements of a specific deployment or device group. The template establishes the foundational parameters, while the profile adapts these settings for individual certificate requests, such as subject DN values or extensions.

Example JSON certificate template

The following example shows a JSON structure of a certificate template.

{
  "key_gen": {
    "enabled": true,
    "key_type": {
      "allowed_types": [
        "ecdsa"
      ],
      "default_key_type": "ecdsa"
    },
    "ecdsa_curve": {
      "allowed_curves": [
        "P-256",
        "P-384",
        "P-521"
      ],
      "default_curve": "P-256"
    }
  },
  "issue_types": [
    "client_authentication"
  ],
  "signature_algorithm": {
    "allowed_algorithms": [
      "sha256WithECDSA",
      "sha384WithECDSA",
      "sha512WithECDSA",
      "match_issuer"
    ],
    "default_algorithm": "match_issuer"
  },
  "subject": {
    "attributes": [
      {
        "type": "common_name",
        "include": "optional",
        "encoding": "auto",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      }
    ]
  },
  "extensions": {
    "key_usage": {
      "critical": true,
      "required_usages": {
        "rsa": [
          "digital_signature",
          "key_encipherment"
        ],
        "ecdsa": [
          "digital_signature"
        ]
      },
      "optional_usages": {
        "rsa": [
          "data_encipherment"
        ],
        "ecdsa": [
          "key_agreement"
        ]
      }
    },
    "extended_key_usage": {
      "critical": true,
      "include": "optional",
      "required_usages": [
        {
          "oid": "client_authentication",
          "name": "Client Authentication"
        }
      ]
    }
  },
  "serial_number_size": 20,
  "validity": {
    "min_duration": {
      "value": 1,
      "unit": "DAYS"
    },
    "max_duration": {
      "value": 10,
      "unit": "YEARS"
    },
    "default_duration": {
      "value": 10,
      "unit": "YEARS"
    }
  }
}