Certificate templates
Certificate templates simplify certificate generation by preconfiguring allowable fields and values.
You can limit certificate types, set default algorithms, define optional or mandatory fields, specify validity periods, and more.
Certificate templates are required to create certificate profiles.
If you host the DigiCert ONE platform in-house:
System users can create, edit, and view certificate templates.
Account users can only view certificate templates.
If you use DigiCert ONE hosted by DigiCert:
You can view certificate templates.
You cannot create or edit certificate templates.
Create certificate template
Note
Technical support creates and updates mandatory certificate templates.
If DigiCert ONE is hosted in-house, a system scope admin with the Manage certificate template permission can create them.
To create a certificate template:
In the Software Trust menu, go to Certificates > Certificate templates.
Select Create certificate template.
Complete the following fields:
Field | Description |
|---|---|
Template name | Enter a name to uniquely identify this certificate template. |
Template body | Set the parameters, which include:
NoteTo review a sample certificate template with all available options, see Certificate template body. |
Template category | Select Production or Test. |
Template scope | Select System to apply this template for all accounts. Select Limited to apply this template to specific accounts. |
Certificate template body
The following sample contains all possible fields and values for a certificate template.
Copy and enter the following sample into the Template body field.
Remove any values or fields that don't meet your requirements.
For test certificate template, ensure that the validity unit is set to days.
Sample certificate template body:
{
"issue_types": [
"code_signing"
],
"cert_type": "end_entity",
"signature_algorithm": {
"allowed_algorithms": [
"sha1WithRSA",
"sha256WithRSA",
"sha384WithRSA",
"sha512WithRSA",
"sha256WithECDSA",
"sha384WithECDSA",
"sha512WithECDSA",
"match_issuer"
],
"default_algorithm": "match_issuer"
},
"subject": {
"attributes": [
{
"type": "common_name",
"include": "yes",
"allowed_source": [
"fixed_value"
]
},
{
"type": "organization_name",
"include": "optional",
"allowed_source": [
"csr"
]
},
{
"type": "organization_unit",
"include": "optional",
"allowed_source": [
"fixed_value"
]
},
{
"type": "street_address",
"include": "optional",
"allowed_source": [
"csr"
]
},
{
"type": "postal_code",
"include": "optional",
"allowed_source": [
"csr"
]
},
{
"type": "locality",
"include": "optional",
"allowed_source": [
"csr"
]
},
{
"type": "state",
"include": "optional",
"allowed_source": [
"csr"
]
},
{
"type": "country",
"allowed_source": [
"csr"
]
}
]
},
"extensions": {
"custom_extensions_enabled": false,
"key_usage": {
"critical": true,
"allow_critical_override": false,
"required_usages": {
"rsa": [
"digital_signature",
"non_repudiation",
"key_encipherment"
],
"ecdsa": [
"digital_signature",
"non_repudiation"
]
}
},
"extended_key_usage": {
"critical": true,
"allow_critical_override": false,
"include": "yes",
"required_usages": [
"code_signing",
"client_authentication"
]
}
},
"validity": {
"min_duration": {
"value": 1,
"unit": "years"
},
"max_duration": {
"value": 25,
"unit": "years"
},
"default_duration": {
"min": {
"value": 1,
"unit": "years"
},
"max": {
"value": 25,
"unit": "years"
}
}
}
}Your certificate's CN can be sourced from two locations:
Certificate signing request (CSR) The CN is extracted from the Organization Name provided in the CSR submitted during certificate issuance.
Fixed value You can provide a customized CN in the certificate profile.
Template structure for Common Name
The Common Name field is mandatory in all certificate templates. This template validator enforces this requirement:
{
"subject": {
"attributes": [
{
"type": "common_name",
"include": "optional",
"allowed_source": ["csr", "fixed_value"]
}
]
}
}Field descriptions
Field | Descriptions | Values |
|---|---|---|
| Subject attribute type | Must be |
| Whether the field is mandatory or optional | |
| Where the CN value can originate from | |
Allowed source options
To define the sources your CN can be pulled from, match the samples below:
CSR only
{ "type": "common_name", "include": "optional", "allowed_source": ["csr"] }CN is taken from the CSR.
The CN value must be present in the CSR's subject field.
The value from CSR is used as-is without modification.
Fixed value only
{ "type": "common_name", "include": "optional", "allowed_source": ["fixed_value"] }CN is predefined in the certificate profile.
The CN value is configured in the certificate profile.
This value overrides any CN present in the CSR.
CSR or fixed value
{ "type": "common_name", "include": "optional", "allowed_source": ["csr", "fixed_value"] }Both sources are allowed.
If a CN is configured in the certificate profile, it takes precedence.
If no CN is set in the certificate profile, the CN from CSR is used.
Custom extensions
By default, the custom extensions feature is disabled in certificate templates.
To enable custom extensions, ensure that the certificate template body shows custom_extensions_enabled as true.
{
"extensions": {
"custom_extensions_enabled": true
}
}