Skip to content

Creating a certificate Issuing Template

Issuing Templates combine the selection of a CA account with rules that enforce certificate policy, all in a single location. Issuing templates can be edited (individually or in bulk), copied, or deleted.

Once the issuing templates are created, Resource Owner can add them to their applications, and then submit certificate requests using the issuing templates.


You must be a System Administrator or PKI Administrator to do this.

To create an issuing template

Before you begin

  • You should already have configured the certificate authority you plan to use in your issuing template.

  • If you are creating a template for a DigiCert, Entrust, Zero Touch PKI, or AD CS certificate authority, you'll be asked to select a product option. The available options are pre-populated in TLS Protect Cloud with data from the CA.

To create a certificate issuing template

  1. Sign in to Venafi Control Plane.
  2. Click Policies > Issuing Templates.
  3. Click New.
  4. Enter an Issuing Template Name.
  5. (Optional) Enter a Description to help users requesting certificates understand when to choose this issuing template.
  6. From the Certificate Authority drop-down, select the CA you will use for this template.
  7. (Conditional) If you selected a DigiCert, Entrust, AD CS, or Zero Touch PKI CA in the previous step, you will see the Certificate Authority Product Option field. Select a product option.

    Additional fields may appear as required by your CA. Verify the values in those fields and change them as necessary.

    Working with EJBCA?

    If you are working with an EJBCA custom certificate authority connector, please review the following information.

    You will be required to enter data into these three fields that are unique to EJBCA. The values are important and must match the source locations as described in this list:

    • Certificate Authority Name. EJBCA's administrator webpage lists the CA's in a table on it's status page. Copy the CA name from the first column and paste it into this field. Ensure the text (including case) matches exactly what is in the table.

      Make sure that this certificate authority has the certificate profile name (that you'll use next) assigned to it.

    • Certificate Profile Name. Found in the EJBCA admin console under the menu item CA Functions > Certificate Profiles. Copy the profile name from this list and paste it into TLS Protect Cloud.

      Make sure that this certificate profile name has the end entity profile name (that you'll use next) added to the profile.

    • End Entity Profile Name. Found in the EJBCA admin console under the menu item RA Functions > End Entity Profiles. Enter the profile name exactly as it appears in this list.

    For more information about EJBCA and custom CA connectors, see Custom CA Configuration overview

  8. Select an option for Key Generation.


    To use Automated Secure Keypair, select one of the TLS Protect Cloud generated options.

  9. (Optional) Customize the template's default Validity Period.

    The recommended value is 90 days. The minimum setting is 1 hour.


    Be aware that when the CSR is submitted and the validity period requested exceeds that allowed by the CA, an error message will be returned.

  10. Complete the Common Name, Subject Alternative Names, and CSR Parameters fields.

    • These fields accept regular expressions.
    • Additional SAN types are available by clicking the Show Advanced SAN options drop-down.
    • The Common Name and Subject Alternate Name fields also include a Test button, which allows you to test your regular expressions.

    Tips for completing these fields

    • Leaving .* will require a value for that field when filling out the certificate request form, though any value will match.
    • Leaving the field blank disables the field on the certificate request form.
    • Entering a single value will require the certificate request form to match that value.
    • Entering multiple values will require certificate requests match one of the specified values.
    • Adding ^$ as one of the permitted values will allow that field to be left blank on a the certificate request form.

      This is the default behavior when submitting requests using the API.

    • You can disable or remove required validation for any field. See the tip below instructions.

    Enabling, disabling, and validating fields

    The common name, SAN, and CSR Parameter fields can be enabled or disabled. Disabling a field prevents that field from being set on certificate requests that use this template.

    Also, for enabled fields, you can specify whether that field requires validation when Resource Owners submit certificate requests using this template.

    To change these settings for any field, click the menu button Image of the field menu button next to the field.

  11. Select the Key Algorithm types you want to allow.

  12. Select an Extended Key Usage type. The valid values are Client Authentication, Server Authentication, and Any. If you want to allow all uses, select Any.

    What is Extended Key Usage?

    Extended key usage (EKU) allows you to select the purpose of the public key contained in the certificate and restrict usage of the public key to only those purposes defined by the EKU settings.

  13. In the Resource Consumers section, specify who should be able to assign this template to applications.

    • To allow all users to use this template, enable Allow everyone to consume.
    • Otherwise, select specific users in the Resource Consumers field, and then click Add.


    Selecting neither option means that this template won't be available for Resource Owners to assign to any applications.

  14. Click Save.

What's next

To use a certificate issuing template, you must associate it with an application. The template you just created should now be ready to assign to applications.