Issuing Templates combine the selection of a CA account with rules that enforce certificate policy, all in a single location. Issuing templates can be edited (individually or in bulk), copied, or deleted.
IMPORTANT You must have a System Admin or PKI Admin role to do this.
To create an issuing template
In the menu bar, click Settings > Issuing Templates.
- Click New.
- Type a name for your new Issuing Template.
Select an existing CA provider or Add New Account.
Each CA provider must have at least one account associated with it.
- Click Select next to the CA provider account you want to associate with your new template.
- Select a Product Option.
(Optional) Change the template's default validity period.setting the validity period
The recommended and default value is 90 days.
You can change the template's default validity period. The minimum setting is 1 hour.
Be aware that when the CSR is submitted and the validity period requested exceeds that allowed by the CA, an error message will be returned.
Fill out the fields under Issuing Rules.
- (Optional) Define Recommended Settings.
(Optional) Click the Bypass this field icon, as needed.What does it mean to bypass a field?
There are two options here:
- Disable: Choose this to prevent the field from being set on certificates that are governed by the template.
- Validation is not required: Choose this to prevent a field from being checked if the CA is going to apply the rule.
When you're done, click Create Template.
You'll see your new template in the list of Issuing Templates.
TIP As indicated by the CA Account, Venafi Cloud uses the domain patterns that have been validated for certificate issuance to create a set of default patterns in the Issuing Templates CN and SAN rules.
When a DevOps user selects a CA Account to use with an issuing template, the CN and SAN rules are auto-filled with valid patterns based on the CA's settings. The user doesn't have to consult the CA Account to figure out which naming patterns are needed.