Creating a Certificate Issuing Template
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
Creating a Certificate Issuing Template
Issuing templates combine the selection of a certificate authority (CA) account with rules that enforce certificate policy, all in a single location. Issuing templates can be edited (individually or in bulk), copied, or deleted.
Once issuing templates are created, they can be used to submit certificate requests.
Important: Issuing Templates are parent TSG resources. Only users with the Superuser role in the parent TSG can create or modify templates. Templates must be explicitly shared with child TSGs for users in those TSGs to request certificates using the template.
To Create a Certificate Issuing Template
Before You Begin
- Configure the certificate authority that you plan to use in the issuing template.
- If you are creating a template for a AWS, DigiCert, DigiCert One, Entrust, AD CS, GoDaddy, HID PKIaaS, Sectigo Certificate Manager, Zero Touch PKI, or OpenSSL certificate authority (CA), you will be asked to select a Product Option. Available options are pre-populated in Next-Gen Trust Security based on data provided by the CA.
Note: If you are using a DigiCert CA, manually refresh your DigiCert CA account to sync the latest product offerings and certificate selections from the DigiCert API.
- Sign in to Next-Gen Trust Security.
- Click Configuration > Issuing Templates.
- Click New.
- Enter an Issuing Template Name.
- (Optional) Enter a Description to help users understand when to select this issuing template.
- From the Certificate Authority list, select the CA to use for this template.
- (Conditional) If you selected an AWS Public CA in the previous step, the Domain Validation Method field appears. Select either DNS or Email as your domain validation method.
- (Conditional) If you selected a AWS, DigiCert, Entrust, AD CS, GoDaddy, Zero Touch PKI, or OpenSSL CA in the previous step, you will see the Certificate Authority Product Option field.The products available depend on which products you have available to the CA API key used on the CA Account. Select a product option.Why can’t I use DV certificate products from my DigiCert account?The DigiCert connector supports only OV and EV certificate products. DV products require additional domain validation steps. To automate domain validation workflows, use an ACME-based CA configuration.Working with EJBCA? When using an EJBCA certificate authority, additional fields are required. Enter values exactly as they appear in the EJBCA administration interface:
- Certificate Authority Name
- Certificate Profile Name
- End Entity Profile Name
Ensure the selected certificate authority and profiles are correctly associated in EJBCA before proceeding. - Select a Key Generation option.Info: To use Automated Secure Keypair, select one of the Next-Gen Trust Security generated key options.
- (Optional) Customize the Validity Period.The recommended value is 90 days. The minimum supported value is 1 hour.Info: If the requested validity period exceeds what the selected CA allows, certificate issuance fails.
- Complete the Common Name, Subject Alternative Names, and CSR Parameters fields.
- These fields accept regular expressions.
- Additional SAN types are available using Show Advanced SAN options.
- The Test button allows you to validate regular expressions before saving.
Tips for completing these fields- Leaving .* requires a value but allows any input.
- Leaving a field blank disables it on the certificate request form.
- Entering a single value enforces an exact match.
- Entering multiple values allows one matching value.
- Including ^$ allows the field to be left blank.
Enabling, disabling, and validating fields Fields can be enabled or disabled. Disabling a field prevents it from being set on certificate requests that use this template. For enabled fields, you can specify whether validation is required. Use the field menu next to each field to change these settings. - Select the allowed Key Algorithm types.
- Select an Extended Key Usage value.Valid options are Client Authentication, Server Authentication, or Any.What is Extended Key Usage? Extended Key Usage (EKU) defines the intended purpose of the certificate’s public key and restricts how it can be used.
- Click Save.