Updated policy example

tashian · tashian · commit 193f2210bf45 · 2025-04-02T17:49:42.000-07:00
diff --git a/step-ca/templates.mdx b/step-ca/templates.mdx
@@ -2,7 +2,7 @@
 title: Configuring `step-ca` Templates
 html_title: Configuring open source step-ca Templates
 description: Learn how to configure step-ca Templates
-updated_at: April 02, 2025
+updated_at: April 03, 2025
 ---
 
 People use private CAs for all sorts of things, in many different contexts:
@@ -805,6 +805,7 @@ the following properties:
 
 ```json
 {
+    ...
 	"nameConstraints": {
 		"critical": false,
 		"permittedDNSDomains": ["doe.com"],
@@ -814,8 +815,9 @@ the following properties:
 		"permittedEmailAddresses": ["jane@doe.com"],
 		"excludedEmailAddresses": ["jane@doe.org"],
 		"permittedURIDomains": ["https://doe.com"],
-		"excludedURIDomains": ["https://doe.org"],
-	}
+		"excludedURIDomains": ["https://doe.org"]
+    }
+    ...
 }
 ```
 
@@ -824,10 +826,12 @@ write it as a string:
 
 ```json
 {
+    ...
 	"nameConstraints": {
         "critical": true,
         "permittedDNSDomains": "example.com"
     }
+    ...
 }
 ```
 
@@ -861,9 +865,11 @@ also write a custom extension like:
 
 ```json
 {
+  ...
   "extensions": [
     {"id": "1.2.3.4", "critical": false, "value": "Y3VzdG9tIGV4dGVuc2lvbiB2YWx1ZQ=="}
   ]
+  ...
 }
 ```
 
@@ -879,40 +885,43 @@ We'll do that in the next example.
 X.509 Certificate Policies define policy constraints of a certificate.
 They help relying parties determine the trustworthiness of a certificate,
 and how to use it in practice.
-For example, a Certificate Policy might detail how the CA verified the identity of the certificate requestor,
-or elaborate on use cases (TLS, email encryption, code signing) that are allowed by the PKI for that certificate.
 
-A Certificate Practice Statement (CPS) is type of policy that references a human-readable document published by a CA
-describing its operational practices and security controls.
+For example, in the Web PKI, the Policy OID `2.23.140.1.2.1` is used to distinguish a certificate that meets the [CA/Browser Forum Baseline Requirements](https://cabforum.org/working-groups/server/baseline-requirements/requirements/) for Domain Validation.
+
+In an internal PKI, a large organization might use a Certificate Policy to detail to a relying party how the CA verified the identity of the certificate requestor, or to approve a certificate for specific applications.
+But, this sort of use case is very niche because it depends on the relying party.
+
+A Certificate Practices Statement (CPS) is type of Certificate Policy that references a document describing a CA's operational practices and security controls.
 
 Here's [an example of a CPS from Let's Encrypt](https://letsencrypt.org/documents/isrg-cp-cps-v5.7/).
 
-Let's put together a Certificate Policies extension using an X.509 template.
-We'll need to construct some ASN.1 for this:
+Let's add a policy extension with a CPS to an X.509 template.
+We'll need to construct some ASN.1 for this.
 
 ```
 {
+  ...
   "extensions": [
     {
       "id": "2.5.29.32",
       "value": {{
         asn1Seq
           (asn1Seq
-            (asn1Enc "oid:1.3.5.7")
+            (asn1Enc "oid:1.3.6.1.4.1.99999.1.1.1")
             (asn1Seq (asn1Seq (asn1Enc "oid:1.3.6.1.5.5.7.2.1") (asn1Enc "ia5:http://example.com/cps")))
           )
         | toJson
       }}
     }
   ]
+  ...
 }
 ```
 
-First, the OID `2.5.29.32` represents the Certificate Policies extension.
+First, the public OID `2.5.29.32` represents the Certificate Policies extension.
 In the value for this extension, we have two policies.
-The first references Policy OID `1.3.5.7`, a custom policy OID that would be defined by the organization.
-For the second value, both a Policy OID and a CPS URI `http://example.com/cps` is provided.
-The CPS URI contains a document explaining how the CA enforces policy `1.3.6.1.5.5.7.2.1`.
+The first references Policy OID `1.3.6.1.4.1.99999.1.1.1`, a custom policy OID that would be defined by our organization.
+The second policy contains both the well-defined OID  `1.3.6.1.5.5.7.2.1` [representing a CPS pointer](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.4), and the CPS pointer `http://example.com/cps`.
 
 #### X.509 OpenVPN certificates
 
