Day 10: Certificate Templates — What ACM PCA Can Issue

Phase 5 · September 4, 2026

Agenda (2–3 hours)

• Read (45 min): ACM PCA docs — "Understanding certificate templates"; template ARN list
• Study (60 min): Template extensions; custom templates; what templates can and cannot control
• Write (45 min): Choose templates for your provisioning service use cases

What Is a Certificate Template?

When you call IssueCertificate, you must provide a template ARN.
The template controls which X.509 extensions are set in the issued certificate:

• Basic Constraints (CA flag, path length)
• Key Usage (digitalSignature, keyEncipherment, etc.)
• Extended Key Usage (serverAuth, clientAuth, codeSigning, etc.)
• Subject Alternative Name (allowed in custom templates)
• CRL/OCSP distribution points (added by ACM PCA based on CA config)

Templates ensure certificates are issued with the correct extension profile
even if the caller provides a bad CSR.

Built-in Template ARNs

Full ARN format: arn:aws:acm-pca:::template/<TemplateId>

Template: EndEntityCertificate/V1

Extensions in an EndEntityCertificate/V1 cert:

Basic Constraints: CA:false
Key Usage: digitalSignature, keyEncipherment
Extended Key Usage: serverAuth, clientAuth
Subject Alternative Name: from CSR (DNS, IP, email, URI)
CRL Distribution Points: from CA CRL config (if enabled)
Authority Info Access: OCSP URL (if OCSP enabled)

This is the template for a general mTLS leaf cert.
Your provisioning service would use this to issue device and service certs.

Custom Templates (API Passthrough)

For specialized certificates (like SPIFFE SVIDs), use a custom template:

Template ARN: arn:aws:acm-pca:::template/EndEntityCertificate/V1
+ APIPassthrough

The APIPassthrough variant allows the IssueCertificate call to include
custom extensions in the ApiPassthrough field:

use aws_sdk_acmpca::types::{ApiPassthrough, Extensions, GeneralName};

let api_passthrough = ApiPassthrough::builder()
    .extensions(
        Extensions::builder()
            .subject_alternative_names(
                GeneralName::builder()
                    .uniform_resource_identifier(
                        "spiffe://leo.amazon.com/ns/prod/svc/provisioning"
                    )
                    .build()
            )
            .build()
    )
    .build();

acmpca_client
    .issue_certificate()
    .api_passthrough(api_passthrough)
    // ...

SPIFFE SVID via ACM PCA

An X.509-SVID requires:

• URI SAN = spiffe://trust-domain/path
• CA:false
• digitalSignature key usage
• serverAuth + clientAuth extended key usage

Use EndEntityCertificate/V1 with APIPassthrough to include the URI SAN.

Template: arn:aws:acm-pca:::template/EndEntityCertificate/V1

CSR: contains the subject (can be empty for SVIDs)
ApiPassthrough.Extensions.SubjectAlternativeNames:
  - UniformResourceIdentifier: spiffe://leo.amazon.com/ns/prod/svc/leo-agent

Limitation: ACM PCA validates that URI SANs are valid URIs but does NOT
enforce that they are spiffe:// URIs. Your application must validate this.

Template for Device Certificates

Satellite terminal devices need certs with:

• Subject: device serial number
• DNS SAN or URI SAN for device identity
• ClientAuth EKU (devices connect to a server)
• Short validity (90 days for rotation)

Template choice: EndEntityClientAuthCertificate/V1

acmpca_client
    .issue_certificate()
    .certificate_authority_arn(device_issuance_ca_arn)
    .csr(device_csr_bytes)
    .signing_algorithm(SigningAlgorithm::Sha256Withecdsa)
    .template_arn(
        "arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1"
    )
    .validity(
        Validity::builder()
            .r#type(ValidityPeriodType::Days)
            .value(90)
            .build()?
    )
    .send()
    .await?;

What Templates Cannot Control

Templates control extensions but NOT:

The CSR is trusted — ACM PCA does not validate that the subject matches
a registered identity. Your provisioning service is responsible for CSR validation
before calling IssueCertificate.

This is a critical security point: if a rogue caller submits a CSR with
CN=leo-admin, ACM PCA will issue a cert with that subject.

Challenge Assignment

For each certificate type your provisioning service issues, specify the template:

Add this table to acm-pca-design.md §2 (Certificate Templates).

Resources

• ACM PCA template reference: docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html
• APIPassthrough templates: docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-api-passthrough
• aws-sdk-acmpca Extensions types: docs.rs/aws-sdk-acmpca → types::Extensions
• X.509 EKU OIDs: RFC 5280 §4.2.1.12