Skip to main content

Templates for intermediate CA certificates

See Create a certificate template for step by step instructions on creating templates.

The following example lists all the common parameters used in an intermediate CA certificate template. You can customize them as needed for your organization.

Example JSON

{
  "cert_type": "intermediate",
  "issue_types": ["all"],
  "key_gen": {
    "enabled": true,
    "key_type": {
      "allowed_types": ["rsa", "ecdsa"],
      "default_key_type": "rsa"
    },
    "rsa_key_size": {
      "min_bits": 2048,
      "max_bits": 4096,
      "default_bits": 2048
    },
    "ecdsa_curve": {
      "allowed_curves": ["P-256", "P-384", "P-521"],
      "default_curve": "P-256"
    }
  },
  "signature_algorithm": {
    "allowed_algorithms": [
      "sha256WithRSA",
      "sha384WithRSA",
      "sha512WithRSA",
      "ecdsaWithSHA256",
      "ecdsaWithSHA384",
      "ecdsaWithSHA512"
    ],
    "default_algorithm": "sha256WithRSA"
  },
  "validity": {
    "unit": "years",
    "min_duration": 1,
    "max_duration": 50,
    "default_duration": 30
  },
  "subject": {
    "attributes": [
      { "type": "common_name" },
      { "type": "organization_name" },
      { "type": "country", "include": "optional" },
      { "type": "state", "include": "optional" },
      { "type": "locality", "include": "optional" },
      { "type": "organization_unit", "include": "optional" }
    ]
  },
  "extensions": {
    "key_usage": {
      "critical": true,
      "allow_critical_override": false,
      "required_usages": {
        "rsa": ["key_cert_sign", "crl_sign"],
        "ecdsa": ["key_cert_sign", "crl_sign"]
      },
      "optional_usages": {
        "rsa": ["digital_signature"],
        "ecdsa": ["digital_signature"]
      }
    },
    "extended_key_usage": {
      "include": "yes",
      "usages": {
        "rsa": [],
        "ecdsa": []
      }
    },
    "basic_constraints": {
      "critical": true,
      "is_ca": true,
      "path_length": 0
    },
    "authority_key_identifier": {
      "include": "yes"
    },
    "subject_key_identifier": {
      "include": "yes"
    },
    "certificate_policies": {
      "include": "optional",
      "source": ["request"]
    }
  }
}

Important considerations

  • Allowed key types:

    • RSA and ECDSA only. Suitable for any standard PKI deployments.

  • Key usage extension:

    • Required: key_cert_sign, crl_sign

    • Optional: digital_signature (for OCSP/CRL signing or test chains)

  • Extended key usage extension:

    • Set to include: yes but with empty usage lists to keep the intermediate certificate broadly usable.

  • Path length constraint:

    • Set to 0, meaning this intermediate can issue only end-entity certs, not other intermediates.

本节内容如下: