Skip to content

Creating a certificate Issuing Template

Issuing Templates combine the selection of a CA account with rules that enforce certificate policy, all in a single location. Issuing templates can be edited (individually or in bulk), copied, or deleted.

Once the issuing templates are created, Resource Owner can add them to their Applications, and then submit certificate requests using the issuing templates.

Important

You must be a System Administrator or PKI Administrator to do this.

To create an issuing template

  1. In the menu bar, click Settings > Issuing Templates.
  2. Click New.
  3. Enter a Template Name for this template, and then press Enter.
  4. Select an existing CA provider or Add New Account.

    Each CA provider must have at least one account associated with it (note that the Venafi CA has a default account already configured). If the CA you want to use doesn't have an account yet, click Add New Account, and then follow the on-screen instructions.

  5. Click a CA, and then click Select next to the CA provider account you want to associate with your new template. Follow the specific instructions for the CA you selected below.

Venafi
  1. (Optional) Customize the template's default Validity Period.

    The recommended value is 90 days.

    You can change the template's default validity period. The minimum setting is 1 hour.

    Be aware that when the CSR is submitted and the validity period requested exceeds that allowed by the CA, an error message will be returned.

  2. (Optional) Click Define Recommended Settings if you want to provide recommended values when Resource Owners fill out certificate requests.

    What's the difference between Recommended Settings and Issuing Rules?

    Recommended Settings pre-populate the fields on a certificate request. However, Resource Owners will be able to change those values on certificate requests.

    On the other hand, Issuing Rules allow you to require a specific value in order for a certificate request to be submitted.

    Note that you can use both recommended settings and issuing rules in the same issuing template. If both a recommended setting and an issuing rule are applied to the same field, the issuing rule takes precedence.

  3. Select an option for Key Pair Generation.

    Info

    To use Automated Secure Keypair, select one of the Venafi generated options.

  4. Complete the remaining fields. Pay attention to the following tips:

    Issuing rules tips
    • The Common Name and Subject Alternate Name fields accept regular expressions. If you're not familiar with regular expressions, use the on-screen help to learn more. Also, the Test capability allows you to test your regular expressions.
    • Leaving .* will allow the Resource Owner to enter any value in that field.
    • Entering a single value in a field will lock that field on certificate requests.
    • Entering multiple values will require Resource Owners to enter one of the specified values.
    • You can disable or remove required validation for any field. See the next step for instructions.
  5. (Optional) Click the Bypass this field icon, as needed. icon displaying three vertical dots

    What does it mean to bypass a field?

    There are two options here:

    • Disable: Choose this to prevent the field from being set on certificates that are governed by the template.
    • Validation is not required: Choose this to prevent a field from being checked if the CA is going to apply the rule.
  6. Click Create Template. You'll see your new template in the list of Issuing Templates.

DigiCert
  1. Select a Product Option. This list is populated from your CA.
  2. (Optional) Customize the template's default Validity Period.

    The recommended value is 90 days.

    You can change the template's default validity period. The minimum setting is 1 hour.

    Be aware that when the CSR is submitted and the validity period requested exceeds that allowed by the CA, an error message will be returned.

  3. (Optional) Click Define Recommended Settings if you want to provide recommended values when Resource Owners fill out certificate requests.

    What's the difference between Recommended Settings and Issuing Rules?

    Recommended Settings pre-populate the fields on a certificate request. However, Resource Owners will be able to change those values on certificate requests.

    On the other hand, Issuing Rules allow you to require a specific value in order for a certificate request to be submitted.

    Note that you can use both recommended settings and issuing rules in the same issuing template. If both a recommended setting and an issuing rule are applied to the same field, the issuing rule takes precedence.

  4. Select an option for Key Pair Generation.

    Info

    To use Automated Secure Keypair, select one of the Venafi generated options.

  5. Complete the remaining fields. Pay attention to the following tips:

    Issuing rules tips
    • The Common Name and Subject Alternate Name fields accept regular expressions. If you're not familiar with regular expressions, use the on-screen help to learn more. Also, the Test capability allows you to test your regular expressions.
    • Leaving .* will allow the Resource Owner to enter any value in that field.
    • Entering a single value in a field will lock that field on certificate requests.
    • Entering multiple values will require Resource Owners to enter one of the specified values.
    • You can disable or remove required validation for any field. See the next step for instructions.

    Note

    Venafi as a Service uses the domain patterns that have been validated for certificate issuance to create a set of default patterns in the Issuing Templates Common Name (CN) and Subject Alternative Name (SAN) rules.

    When you select a CA Account to use with an issuing template, the CN and SAN rules are auto-filled with valid patterns based on the CA's settings.

  6. (Optional) Click the Bypass this field icon, as needed. icon displaying three vertical dots

    What does it mean to bypass a field?

    There are two options here:

    • Disable: Choose this to prevent the field from being set on certificates that are governed by the template.
    • Validation is not required: Choose this to prevent a field from being checked if the CA is going to apply the rule.
  7. Click Create Template. You'll see your new template in the list of Issuing Templates.

GlobalSign
  1. (Optional) Customize the template's default Validity Period.

    The recommended value is 90 days.

    You can change the template's default validity period. The minimum setting is 1 hour.

    Be aware that when the CSR is submitted and the validity period requested exceeds that allowed by the CA, an error message will be returned.

  2. (Optional) Click Define Recommended Settings if you want to provide recommended values when Resource Owners fill out certificate requests.

    What's the difference between Recommended Settings and Issuing Rules?

    Recommended Settings pre-populate the fields on a certificate request. However, Resource Owners will be able to change those values on certificate requests.

    On the other hand, Issuing Rules allow you to require a specific value in order for a certificate request to be submitted.

    Note that you can use both recommended settings and issuing rules in the same issuing template. If both a recommended setting and an issuing rule are applied to the same field, the issuing rule takes precedence.

  3. Select an option for Key Pair Generation.

    Info

    To use Automated Secure Keypair, select one of the Venafi generated options.

  4. Complete the remaining fields. Pay attention to the following tips:

    Issuing rules tips
    • The Common Name and Subject Alternate Name fields accept regular expressions. If you're not familiar with regular expressions, use the on-screen help to learn more. Also, the Test capability allows you to test your regular expressions.
    • Leaving .* will allow the Resource Owner to enter any value in that field.
    • Entering a single value in a field will lock that field on certificate requests.
    • Entering multiple values will require Resource Owners to enter one of the specified values.
    • You can disable or remove required validation for any field. See the next step for instructions.

    Note

    Venafi as a Service uses the domain patterns that have been validated for certificate issuance to create a set of default patterns in the Issuing Templates Common Name (CN) and Subject Alternative Name (SAN) rules.

    When you select a CA Account to use with an issuing template, the CN and SAN rules are auto-filled with valid patterns based on the CA's settings.

  5. (Optional) Click the Bypass this field icon, as needed. icon displaying three vertical dots

    What does it mean to bypass a field?

    There are two options here:

    • Disable: Choose this to prevent the field from being set on certificates that are governed by the template.
    • Validation is not required: Choose this to prevent a field from being checked if the CA is going to apply the rule.
  6. Click Create Template. You'll see your new template in the list of Issuing Templates.

Entrust
  1. Select a Product Option. This list is populated from your CA.
  2. Enter a Contact Name, Email address, and Phone Number.

    Why does Entrust ask for this?

    Entrust requires these fields to be populated, but it doesn't do any validation on them. Since Venafi as a Service stores certificate ownership information, there is no need to use anything but the default Venafi as a Service values.

    If you want Entrust to collect certificate ownership information, you'll need to create one issuing template per team with the contact information for the team contact.

  3. (Optional) Customize the template's default Validity Period.

    The recommended value is 90 days.

    You can change the template's default validity period. The minimum setting is 1 hour.

    Be aware that when the CSR is submitted and the validity period requested exceeds that allowed by the CA, an error message will be returned.

  4. (Optional) Click Define Recommended Settings if you want to provide recommended values when Resource Owners fill out certificate requests.

    What's the difference between Recommended Settings and Issuing Rules?

    Recommended Settings pre-populate the fields on a certificate request. However, Resource Owners will be able to change those values on certificate requests.

    On the other hand, Issuing Rules allow you to require a specific value in order for a certificate request to be submitted.

    Note that you can use both recommended settings and issuing rules in the same issuing template. If both a recommended setting and an issuing rule are applied to the same field, the issuing rule takes precedence.

  5. Select an option for Key Pair Generation.

    Info

    To use Automated Secure Keypair, select one of the Venafi generated options.

  6. Complete the remaining fields. Pay attention to the following tips:

    Issuing rules tips
    • The Common Name and Subject Alternate Name fields accept regular expressions. If you're not familiar with regular expressions, use the on-screen help to learn more. Also, the Test capability allows you to test your regular expressions.
    • Leaving .* will allow the Resource Owner to enter any value in that field.
    • Entering a single value in a field will lock that field on certificate requests.
    • Entering multiple values will require Resource Owners to enter one of the specified values.
    • You can disable or remove required validation for any field. See the next step for instructions.

    Note

    Venafi as a Service uses the domain patterns that have been validated for certificate issuance to create a set of default patterns in the Issuing Templates Common Name (CN) and Subject Alternative Name (SAN) rules.

    When you select a CA Account to use with an issuing template, the CN and SAN rules are auto-filled with valid patterns based on the CA's settings.

  7. (Optional) Click the Bypass this field icon, as needed. icon displaying three vertical dots

    What does it mean to bypass a field?

    There are two options here:

    • Disable: Choose this to prevent the field from being set on certificates that are governed by the template.
    • Validation is not required: Choose this to prevent a field from being checked if the CA is going to apply the rule.
  8. Click Create Template. You'll see your new template in the list of Issuing Templates.

Microsoft
  1. Select a Product Option. This list is populated from your CA.
  2. (Optional) Customize the template's default Validity Period.

    The recommended value is 90 days.

    You can change the template's default validity period. The minimum setting is 1 hour.

    Be aware that when the CSR is submitted and the validity period requested exceeds that allowed by the CA, an error message will be returned.

  3. (Optional) Click Define Recommended Settings if you want to provide recommended values when Resource Owners fill out certificate requests.

    What's the difference between Recommended Settings and Issuing Rules?

    Recommended Settings pre-populate the fields on a certificate request. However, Resource Owners will be able to change those values on certificate requests.

    On the other hand, Issuing Rules allow you to require a specific value in order for a certificate request to be submitted.

    Note that you can use both recommended settings and issuing rules in the same issuing template. If both a recommended setting and an issuing rule are applied to the same field, the issuing rule takes precedence.

  4. Select an option for Key Pair Generation.

    Info

    To use Automated Secure Keypair, select one of the Venafi generated options.

  5. Complete the remaining fields. Pay attention to the following tips:

    Issuing rules tips
    • The Common Name and Subject Alternate Name fields accept regular expressions. If you're not familiar with regular expressions, use the on-screen help to learn more. Also, the Test capability allows you to test your regular expressions.
    • Leaving .* will allow the Resource Owner to enter any value in that field.
    • Entering a single value in a field will lock that field on certificate requests.
    • Entering multiple values will require Resource Owners to enter one of the specified values.
    • You can disable or remove required validation for any field. See the next step for instructions.
  6. (Optional) Click the Bypass this field icon, as needed. icon displaying three vertical dots

    What does it mean to bypass a field?

    There are two options here:

    • Disable: Choose this to prevent the field from being set on certificates that are governed by the template.
    • Validation is not required: Choose this to prevent a field from being checked if the CA is going to apply the rule.
  7. Click Create Template. You'll see your new template in the list of Issuing Templates.


Last update: November 12, 2021