Skip to content

Commit 481f932

Browse files
tashiantashian
committed
Note about SAN and subject values
1 parent e824507 commit 481f932

File tree

1 file changed

+11
-6
lines changed

1 file changed

+11
-6
lines changed

step-ca/templates.mdx

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
title: Configuring `step-ca` Templates
33
html_title: Configuring open source step-ca Templates
44
description: Learn how to configure step-ca Templates
5+
updated_at: March 24, 2024
56
---
67

78
People use private CAs for all sorts of things, in many different contexts:
@@ -219,14 +220,18 @@ See [the complete list of fields supported in `step-ca` templates](https://githu
219220
Here are some constants available in X.509 certificate templates:
220221

221222
- **.Subject**:
222-
This is the subject that was passed in to `step certificate` or `step ca certificate`. Specifically,
223-
`.Subject.CommonName` contains the Common Name for the certificate.
223+
The subject that was passed in to `step certificate` or `step ca certificate`. Specifically,
224+
`.Subject.CommonName` contains the Common Name for the certificate. By default, a passed-in subject
225+
value must match a value from a trusted source in order to be added to the certificate. The
226+
client is only a trusted source if they are an admin using the JWK provisioner.
224227

225228
- **.SANs**:
226229
Subject Alternative Names.
227230
This is a list of maps containing SANs for the certificate.
228231
Unless SANs are specified (using the `--san` flag, for example),
229-
the `.Subject.CommonName` is the default SAN.
232+
the `.Subject.CommonName` is the default SAN. By default, a passed-in subject
233+
value must match a value from a trusted source in order to be added to the certificate. The
234+
client is only a trusted source if they are an admin using the JWK provisioner.
230235

231236
- **.Token**:
232237
If a signed token was used to obtain the certificate
@@ -750,8 +755,8 @@ If you need to pass more than one value,
750755
you can use `--set` multiple times or use a JSON file with multiple properties.
751756

752757
It's worth mentioning the while we used `"dnsNames"` instead of `"sans"` in the example above, both can
753-
be used. `"dnsNames"` is an array of strings (or just one string if only one is
754-
required), while `"sans"` is an array of objects like:
758+
be used. `"dnsNames"` is a list of strings (or just one string if only one is
759+
required), while `"sans"` is an list of maps:
755760

756761
```json
757762
[
@@ -762,7 +767,7 @@ required), while `"sans"` is an array of objects like:
762767
]
763768
```
764769

765-
The array `.SANs` is generated by the provisioner,
770+
The list `.SANs` is generated by the provisioner,
766771
containing the values of the trusted names.
767772

768773
Besides `"dnsNames"`, you can also use `"emailAddresses"`, `"ipAddresses"`, and

0 commit comments

Comments
 (0)