Templates can be added to Certificate Manager authorities only. If you need a template added to an SSH Professional authority, create a support ticket.

Templates give you granular control over certificate details.  By default, Certificate Manager is tuned to issue short-lived certificates for use with TLS. Templates let you customize every detail of a certificate, down to the OID, to support any use case.

Concretely, a template is a JSON representation of a certificate that's materialized using Go's [text/template](<https://golang.org/pkg/text/template/>) module and sprig functions. They look like this:

Context from certificate requests and authentication credentials are made available as template variables, so you can adjust certificate details based on who's requesting the certificate.

An example of how to update a provisioner with this template looks similar to the following:

step beta ca provisioner update [[your_provisioner]] \
 --ssh-template=<(echo '
       "type": {{ toJson .Subject }},
       "keyId": {{ toJson .SANS ) }},
       {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
           "keyUsage": ["keyEncipherment","digitalSignature"],
       {{- else }}
           "keyUsage": ["digitalSignature"],
       {{- end}}
       "extKeyUsage": ["serverAuth", "clientAuth"]