JWK provisioner and templates

[adraFR]

Hello,

How can i switch between templates when requesting a certificate from the same JWK provisionner ?
Is there some way to declare several templates allowed in file ca.json ? Maybe something like this ?
"options": {
"x509": {
"templateFile": ["templates/certs/x509/leaf.tpl", "templates/certs/x509/custom.tpl"]
},
Or, should I create as many provisionners as required templates ?

Thanks for your guidance

[hslatman]

Hey @adraFR, at the moment we don't support multiple templates to be available (and selectable) at a single time in a single provisioner. The contents of a template will influence what ends up in the final certificate, and making this (more) flexible might result in more confusing results or in too much control for the client.

If you need multiple templates, you can indeed use multiple provisioners. This makes sense, because that way you'll be able to tie the authentication method to what ends up in the certificate, so that you can differentiate in "low vs. high risk names", for example.

It is also possible to change the template between requests, but that requires more orchestration in terms of updating the template and either 1) restarting the CA or 2) updating it via the admin API. And that will have to happen at the right time, likely requiring some form of application in front of the CA to manage this for you.