Templates for end-entity certificates
See Create a certificate template for step by step instructions on creating templates.
The following example lists most of the common parameters used in an end-entity certificate template. You can customize them as needed for your organization.
Example JSON
{
"key_gen": {
"enabled": true,
"key_type": {
"allowed_types": [
"rsa",
"ecdsa",
"Ed25519"
],
"default_key_type": "rsa"
},
"rsa_key_size": {
"min_bits": 1024,
"max_bits": 4096,
"default_bits": 2048
},
"ecdsa_curve": {
"allowed_curves": [
"P-256",
"P-384",
"P-521"
],
"default_curve": "P-256"
}
},
"issue_types": [
"server_authentication",
"client_authentication"
],
"signature_algorithm": {
"allowed_algorithms": [
"sha256WithRSA",
"sha384WithRSA",
"sha512WithRSA",
"sha256WithECDSA",
"sha384WithECDSA",
"sha512WithECDSA",
"sha3_256WithRSA",
"sha3_384WithRSA",
"sha3_512WithRSA",
"match_issuer"
],
"default_algorithm": "match_issuer"
},
"subject": {
"attributes": [
{
"type": "common_name",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "organization_name",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "organization_unit",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "street_address",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "postal_code",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "locality",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "state",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "country",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "email",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
}
]
},
"extensions": {
"key_usage": {
"critical": true,
"allow_critical_override": true,
"required_usages": {
"rsa": [
"digital_signature",
"key_encipherment"
],
"ecdsa": [
"digital_signature",
"key_agreement"
]
}
},
"extended_key_usage": {
"critical": true,
"allow_critical_override": true,
"include": "optional",
"required_usages": [
{
"oid": "",
"name": "server_authentication"
},
{
"oid": "",
"name": "client_authentication"
}
]
},
"san": {
"critical": false,
"dns_name": {
"include": "no",
"auto_include_cn": "no",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
}
}
},
"serial_number_size": 20,
"validity": {
"min_duration": {
"value": 1,
"unit": "days"
},
"max_duration": {
"value": 10,
"unit": "years"
},
"default_duration": {
"value": 10,
"unit": "years"
}
}
}