Certificate Templates

Stream uses the notion of Certificate Templates to add additional verifications when enrolling a certificate.

To define a new certificate template:

1. Log in to the Stream Administration Interface.

2. Go to Certificates > Templates and click add_external_ca.

3. In the General tab, you can set the template’s name, the path length it will tolerate, turn the template on or off and check for proof of possession when enrolling with a CSR. In the Duration part of the tab, you can edit the lifetime of the certificates that will enroll on this template, as well as backdate them should you need to.

4. In the KU & EKU tab, you can set the Key Usages and Extended Key Usages of the certificates that will enroll on this template. You can also use your own EKUs here. If you want to set up your own EKUs, please refer to the Extended Key Usages part of this section.

5. In the Policy, CRLDP & AIA tab, you can edit the CRLDPs, AIA and Policy of the certificates that will enroll on this template. If you want to, the certificates could use the information of the CA they will enroll on, otherwise, you can set specific values in the template. These values will then override those retrieved from the CA.

6. In the DN & Extensions tab, you can enforce your DNs, SANs and Extensions to match certain criteria that can be defined in this section. By default, everything is accepted, meaning that any type and amount of DNs, SANs and Extensions can be used in the certificates and it would successfully enroll on the template.

  • If you want to enforce a Subject DN policy, then click add_external_ca in Subject DN composition, then select the DN element that you want to put a policy on. You can set this element to be mandatory or not, to use a default value for that element that can be editable or not, you can also add a whitelist of elements that are accepted values for this DN, or you can instead use a regex to match the DN values that are accepted for this element.

  • If you want to enforce a Subject Alternate Names policy, you can either click None to forbid the use of SANs in certificates or you can click Some to configure the policy. If you clicked Some, click add_external_ca and select the SAN element that you want to enforce a policy upon. You can then input a minimum and maximum number of this SAN element to be present in the certificate that will enroll: as an example, if you want to make the use of at least one DNS SAN mandatory, use 1 as a minimum number. Finally, you can enforce your SANs to match a regex to be considered valid on a certificate.

  • If you want to enforce an Extension policy, you can either click None to forbid the use of Extensions in certificates or you can click Some to configure the policy. If you clicked Some, click add_external_ca and select the Extension that you want to enforce a policy upon. You can then set it mandatory or not, and if supported, give it a default value that can be edited or not.

7. Once you’ve configured your template, you can click Save at the top of the page.

As mentioned previously, if you want your certificates to inherit the CRLDP, the AIA and the Policy from the CA, you must toggle on the Get from CA swiches and not specify any policy, CRLDP or AIA in the template.