Creating a certificate issuing template
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Creating a certificate issuing template
Issuing templates combine the selection of a certificate authority (CA) account with rules that enforce certificate policy, all in a single location. Issuing templates can be edited (individually or in bulk), copied, or deleted.
Once issuing templates are created, they can be assigned to applications and used to submit certificate requests.
Important: You must have appropriate administrative permissions to create or modify issuing templates.
To create a certificate issuing template
Before you begin
- Configure the certificate authority that you plan to use in the issuing template.
- If you are creating a template for a DigiCert, Entrust, Zero Touch PKI, or AD CS certificate authority, you will be asked to select a Product Option. Available options are pre-populated in Next-Gen Trust Security based on data provided by the CA.
- Sign in to Next-Gen Trust Security.
- Click Configuration > Issuing Templates.
- Click New.
- Enter an Issuing Template Name.
- (Optional) Enter a Description to help users understand when to select this issuing template.
- From the Certificate Authority list, select the CA to use for this template.
- (Conditional) If the selected CA requires it, configure any additional CA-specific fields that appear, such as Certificate Authority Product Option. Verify the values and update them as needed.Why can’t I use DV certificate products from my DigiCert account?The DigiCert connector supports only OV and EV certificate products. DV products require additional domain validation steps. To automate domain validation workflows, use an ACME-based CA configuration.Working with EJBCA? When using an EJBCA certificate authority, additional fields are required. Enter values exactly as they appear in the EJBCA administration interface:
- Certificate Authority Name
- Certificate Profile Name
- End Entity Profile Name
Ensure the selected certificate authority and profiles are correctly associated in EJBCA before proceeding. - Select a Key Generation option.Info: To use Automated Secure Keypair, select one of the Next-Gen Trust Security generated key options.
- (Optional) Customize the Validity Period.The recommended value is 90 days. The minimum supported value is 1 hour.Info: If the requested validity period exceeds what the selected CA allows, certificate issuance fails.
- Complete the Common Name, Subject Alternative Names, and CSR Parameters fields.
- These fields accept regular expressions.
- Additional SAN types are available using Show Advanced SAN options.
- The Test button allows you to validate regular expressions before saving.
Tips for completing these fields- Leaving .* requires a value but allows any input.
- Leaving a field blank disables it on the certificate request form.
- Entering a single value enforces an exact match.
- Entering multiple values allows one matching value.
- Including ^$ allows the field to be left blank.
Enabling, disabling, and validating fields Fields can be enabled or disabled. Disabling a field prevents it from being set on certificate requests that use this template. For enabled fields, you can specify whether validation is required. Use the field menu next to each field to change these settings. - Select the allowed Key Algorithm types.
- Select an Extended Key Usage value.Valid options are Client Authentication, Server Authentication, or Any.What is Extended Key Usage?Extended Key Usage (EKU) defines the intended purpose of the certificate’s public key and restricts how it can be used.
- Click Save.
What's next
To use an issuing template, associate it with an application. The template you created is now ready to assign to applications.