Certificate Template Management
This guide explains how to create and manage certificate templates on SecTrail CM. Certificate templates speed up and standardize the certificate creation process by predefining organization information, key algorithm, and other parameters.
By using templates, you can create certificates from ready-made templates instead of repeatedly entering the same information (Organization, OU, Country, etc.) each time. This saves time and ensures compliance with corporate standards.
What is a Template?β
A template is a predefined structure of certificate creation parameters. By using templates:
- Fast certificate production: Just fill in Common Name and SAN fields, all other fields are automatically filled
- Standardization: Ensure all certificates are created with the same organization information and security parameters
- Error reduction: Prevent manual input errors
- CA Integration: Work integrated with external CAs like ADCS, GlobalSign, DigiCert
Template Listβ
For template management: Go to Inventory β Template menu.
Template List and Operations
You can view and manage all your existing templates in the template list.
List Columnsβ
| Column | Description |
|---|---|
| Template Name | Unique name of the template (e.g., acme, adcs, csr) |
| CA Type | Certificate authority type (ACME, ADCS, CSR, DigiCert, GlobalSign, Hashicorp, LocalCA) |
| Domain Name | Domain/organization domain the template is associated with |
| Organization | Organization name |
| Contact email address | |
| Key | Key algorithm (RSA, ECDSA) |
| Actions | Action buttons (Generate, Edit, Delete) |
Template Operationsβ
You can perform three basic operations for each template:
1. Generate (Create Certificate)β
When you click the Generate button, the certificate creation screen opens with template parameters pre-filled. You only need to fill in Common Name and Subject Alternative Names (SAN) fields.
Creating Certificate with Template
When creating certificate with template:
- Click the Generate button of the desired template from the template list
- Check auto-filled fields in the opened form:
- CA Type, Organization, OU, Locality, State, Country
- Key Algorithm, Key Length, Hash Function
- Lifetime, E-mail Address
- Fill in Common Name field (e.g.,
test.sectrail.local) - Add additional domains or IPs to Subject Alternative Names field (optional)
- Click Generate button
Using templates, you can create certificates instantly by filling in only 2 fields (Common Name and SAN). In normal certificate creation, you need to fill in 15+ fields.
2. Edit (Edit)β
Click the Edit button to edit existing template. You can update template parameters.
3. Delete (Delete)β
Click the Delete button to completely remove the template from the system.
When a template is deleted, certificates previously created with this template are not affected. Only this template cannot be used in future certificate creation operations.
Creating New Templateβ
Click the Create button to create a new certificate template.
New Template Creation Form
Template Parametersβ
You can configure the following parameters when creating a template:
Basic Informationβ
| Field | Required | Description | Example |
|---|---|---|---|
| Name | β Required | Unique name of template | adcs, prod-ssl, dev-cert |
| CA Type | β Required | Certificate authority type | ACME, ADCS, CSR, DigiCert, GlobalSign, Hashicorp, LocalCA |
| Organization | βͺ Optional | Organization name | bntpro.com, Acme Corporation |
| Organizational Unit | βͺ Optional | Department or unit | IT, Engineering, sectrail |
| Locality | βͺ Optional | City | Istanbul |
| State | βͺ Optional | State or province | Istanbul |
| Country | βͺ Optional | Country code (2 characters) | Turkey, TR (dropdown selection) |
Contact and Securityβ
| Field | Description | Example |
|---|---|---|
| Email notification status | Active β / Inactive βͺ | |
| E-mail Address | Contact email address | email@bntpro.com |
| Lifetime | Certificate validity period (days) | 365 (1 year) |
Cryptographic Settingsβ
| Field | Description | Recommended Value |
|---|---|---|
| Key Algorithm | Key algorithm | RSA (default), ECDSA |
| Key Length | Key length | 2048 bit (standard), 4096 bit (high security) |
| Hash Function | Hash algorithm | sha256 (recommended) |
Management and Integrationβ
| Field | Description | Options |
|---|---|---|
| Managed | Will it be a managed certificate? | Yes / No |
| Key Import | Where private key will be stored | Database, Key, HSM, BeyondTrust |
If you set Managed option to "Yes", certificates created with this template will be automatically managed. SecTrail CM:
- Tracks certificate expiry date
- Performs automatic renewal (for protocols like ACME)
- Sends alarms and notifications
For details: Managed Certificates
Notification Messagesβ
You can define customized notification messages in the template:
| Field | Description |
|---|---|
| Generate Text Message | SMS/text message content to be sent when certificate is created |
| Password Length | Automatic password length to be generated (characters) |
| Ignored Domain | Block certificate creation for these domains (e.g., *.example.local) |
| Common Name Format Message | Guidance message to show user about Common Name format |
| Subject Alternative Names Format Message | Guidance message about SAN format |
Integration Settingsβ
| Field | Description | When to Use |
|---|---|---|
| Daily Request Limit | Maximum daily certificate request count | For rate limiting |
| Enable Confirmation | Get confirmation before creating certificate? | Checkbox (β / β) |
Template Typesβ
SecTrail CM supports various CA types for different use cases:
1. LocalCA Templateβ
Used for signing certificates with your own local Certificate Authority.
When to Use:
- For internal network applications
- When producing certificates compliant with corporate standards
- Signing with Root/Intermediate CAs created in SecTrail CM
Example Configuration:
- Name:
localca - CA Type:
LocalCA - Organization:
secrusen - Key Algorithm: RSA
- Key Length: 2048
- Lifetime: 365 days
2. ADCS Templateβ
Creates certificates with Microsoft Active Directory Certificate Services integration.
When to Use:
- In Windows environments
- In enterprise PKI with Active Directory integration
- When automatic domain verification is required
Example Configuration:
- Name:
adcs - CA Type:
ADCS - Organization:
bntpro - Domain Name:
bntpro.local - Key Algorithm: RSA
- Key Length: 2048
3. CSR Templateβ
Used to create Certificate Signing Request. Used when you want to get certificates from external CAs.
When to Use:
- When getting certificates from external CAs (Let's Encrypt, DigiCert, etc.)
- For public SSL/TLS certificates
- When third-party verification is required
Example Configuration:
- Name:
csr - CA Type:
CSR - Organization:
sectrail
4. ACME Templateβ
Creates automatic certificates with ACME protocol (Let's Encrypt, ZeroSSL, etc.).
When to Use:
- For free SSL certificates with Let's Encrypt
- When you want automatic renewal
- For public domains
Example Configuration:
- Name:
acme - CA Type:
ACME - Organization:
bntpro - Managed: Yes (for automatic renewal)
- Lifetime: 90 days (Let's Encrypt standard)
5. DigiCert Templateβ
Creates certificates with DigiCert CertCentral API integration.
When to Use:
- If you're a DigiCert customer
- For OV (Organization Validated) or EV (Extended Validation) certificates
- For enterprise SSL certificates
6. GlobalSign Templateβ
Creates certificates with GlobalSign HVCA (Managed PKI) integration.
When to Use:
- If you have GlobalSign agreement
- For high-volume certificate management
- If you're using Managed PKI service
7. Hashicorp Vault Templateβ
Creates dynamic certificates with Hashicorp Vault PKI Secrets Engine.
When to Use:
- In cloud-native environments
- In Kubernetes, microservices architectures
- For dynamic, short-lived certificates