Amazon Private CA template varieties
Amazon Private CA supports four varieties of template.
-
Base templates
Pre-defined templates in which no passthrough parameters are allowed.
-
CSRPassthrough templates
Templates that extend their corresponding base template versions by allowing CSR passthrough. Extensions in the CSR that is used to issue the certificate are copied over to the issued certificate. In cases where the CSR contains extension values that conflict with the template definition, the template definition will always have the higher priority. For more details about priority, see Amazon Private CA template order of operations.
-
APIPassthrough templates
Templates that extend their corresponding base template versions by allowing API passthrough. Dynamic values that are known to the administrator or other intermediate systems may not be known by the entity requesting the certificate, may be impossible to define in a template, and may not be available in the CSR. The CA administrator, however, can retrieve additional information from another data source, such as an Active Directory, to complete the request. For example, if a machine doesn't know what organization unit it belongs to, the administrator can look up the information in Active Directory and add it to the certificate request by including the information in a JSON structure.
Values in the
ApiPassthrough
parameter of theIssueCertificate
actionare copied over to the issued certificate. In cases where the
ApiPassthrough
parameter contains information that conflicts with the template definition, the template definition will always have the higher priority. For more details about priority, see Amazon Private CA template order of operations. -
APICSRPassthrough templates
Templates that extend their corresponding base template versions by allowing both API and CSR passthrough. Extensions in the CSR used to issue the certificate are copied over to the issued certificate, and values in the
ApiPassthrough
parameter of theIssueCertificate
action are also copied over . In cases where the template definition, API passthrough values, and CSR passthrough extensions exhibit a conflict, the template definition has highest priority, followed by the API passthrough values, followed by the CSR passthrough extensions. For more details about priority, see Amazon Private CA template order of operations.
The tables below list all of the template types supported by Amazon Private CA with links to their definitions.
Note
For information about template ARNs in GovCloud regions, see Amazon Private Certificate Authority in the Amazon GovCloud (US) User Guide.
Template Name |
Template ARN |
Certificate Type |
---|---|---|
|
Code signing |
|
|
End-entity |
|
|
End-entity |
|
|
End-entity |
|
|
OCSP signing |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
Template Name |
Template ARN |
Certificate Type |
---|---|---|
|
End-entity | |
BlankEndEntityCertificate_CriticalBasicConstraints_CSRPassthrough/V1 |
|
End-entity |
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
Code signing |
|
|
End-entity |
|
|
End-entity |
|
|
End-entity | |
|
OCSP signing |
|
|
CA | |
|
CA |
|
|
CA |
|
|
CA |
Template Name |
Template ARN |
Certificate Type |
---|---|---|
|
End-entity |
|
BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1 |
|
End-entity |
|
Code signing |
|
|
End-entity |
|
|
End-entity |
|
|
End-entity |
|
|
OCSP signing |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
Template Name |
Template ARN |
Certificate Type |
---|---|---|
|
End-entity |
|
BlankEndEntityCertificate_CriticalBasicConstraints_APICSRPassthrough/V1 |
|
End-entity |
|
Code signing |
|
|
End-entity |
|
|
End-entity |
|
arn:aws:acm-pca:::template/EndEntityServerAuthCertificate_APICSRPassthrough/V1 |
End-entity |
|
|
OCSP signing |
|
|
CA |
|
|
CA |
|
|
CA |
|
|
CA |
|
SubordinateCACertificate_PathLen2_APICSRPassthrough/PathLen3_APIPassthroughV1 |
|
CA |
|
CA |
|
|
CA |
|
|
CA |