Overview: Certificate Issuing Templates
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
Overview: Certificate Issuing Templates
Certificate issuing templates define the certificate policies that are enforced whenever new certificates are issued.
An issuing template combines a CA account selection with certificate rules in a single place. When you create an issuing template, you define the rules that reflect your organization’s certificate security policies for requesting or renewing certificates.
Note: Issuing Templates are parent TSG resources. Only users with the Superuser role in the parent TSG can create or modify templates. Templates must be explicitly shared with child TSGs for users in those TSGs to request certificates using the template.
Here are some of the benefits of certificate issuing templates:
- Enable consistent certificate requests by applying predefined security policies, so certificates are issued according to approved standards.
- Speed up certificate issuance by requiring only the necessary input. All other settings are predefined or enforced by policy.
You can create as many issuing templates as needed, and edit or delete them at any time.
Most certificate issuing templates include at least the following settings:
- Template name
- CA account
- Issuing rules
- Additional fields that are specific to the selected CA account
Depending on the CA, additional settings may be required. For example, an issuing template for DigiCert includes a Product Option field.
What is the default issuing template?
Next-Gen Trust Security includes a Default Issuing template that demonstrates how an issuing template is structured and how it connects to other parts of Next-Gen Trust Security. This template is intended for testing and evaluation only.
The default issuing template is not intended for production use. For production environments, create your own issuing templates that reflect your organization’s certificate policies. Limiting use of the default template helps prevent unintended certificate issuance.
What's Next
- Learn how to set up a new certificate issuing template