Add a certificate policy example to the Templates docs

tashian · tashian · commit 897b61bcfbff · 2025-04-02T13:54:35.000-07:00
diff --git a/step-ca/templates.mdx b/step-ca/templates.mdx
@@ -2,7 +2,7 @@
 title: Configuring `step-ca` Templates
 html_title: Configuring open source step-ca Templates
 description: Learn how to configure step-ca Templates
-updated_at: March 26, 2025
+updated_at: April 02, 2025
 ---
 
 People use private CAs for all sorts of things, in many different contexts:
@@ -861,16 +861,58 @@ also write a custom extension like:
 
 ```json
 {
-	"extensions": [
-		{"id": "1.2.3.4", "critical": false, "value": "Y3VzdG9tIGV4dGVuc2lvbiB2YWx1ZQ=="}
-	]
+  "extensions": [
+    {"id": "1.2.3.4", "critical": false, "value": "Y3VzdG9tIGV4dGVuc2lvbiB2YWx1ZQ=="}
+  ]
+}
+```
+
+The value of the extension is the Base64 encoding of the
+actual ASN.1 bytes that go into that extension.
+
+For a more human-readable template,
+you can also use [ASN.1 functions](#asn1-values) in the extension `value` field.
+We'll do that in the next example.
+
+#### Deep dive: Certificate Policies
+
+X.509 Certificate Policies define policy constraints of a certificate.
+They help relying parties determine the trustworthiness of a certificate,
+and how to use it in practice.
+For example, a Certificate Policy might detail how the CA verified the identity of the certificate requestor,
+or elaborate on use cases (TLS, email encryption, code signing) that are allowed by the PKI for that certificate.
+
+A Certificate Practice Statement (CPS) is type of policy that references a human-readable document published by a CA
+describing its operational practices and security controls.
+
+Here's [an example of a CPS from Let's Encrypt](https://letsencrypt.org/documents/isrg-cp-cps-v5.7/).
+
+Let's put together a Certificate Policies extension using an X.509 template.
+We'll need to construct some ASN.1 for this:
+
+```
+{
+  "extensions": [
+    {
+      "id": "2.5.29.32",
+      "value": {{
+        asn1Seq
+          (asn1Seq
+            (asn1Enc "oid:1.3.5.7")
+            (asn1Seq (asn1Seq (asn1Enc "oid:1.3.6.1.5.5.7.2.1") (asn1Enc "ia5:http://example.com/cps")))
+          )
+        | toJson
+      }}
+    }
+  ]
 }
 ```
 
-The crux here is that the value of the extension is the Base64 encoding of the
-actual bytes that go into that extension, so if you are encoding a structure
-in your extension using the ASN.1 encoding, you will have to put the Base64
-version of the encoded bytes.
+First, the OID `2.5.29.32` represents the Certificate Policies extension.
+In the value for this extension, we have two policies.
+The first references Policy OID `1.3.5.7`, a custom policy OID that would be defined by the organization.
+For the second value, both a Policy OID and a CPS URI `http://example.com/cps` is provided.
+The CPS URI contains a document explaining how the CA enforces policy `1.3.6.1.5.5.7.2.1`.
 
 #### X.509 OpenVPN certificates
 
