certificate-authority: {
    # allow CA to sign certificate requests that have subject alternative names.
    allow-subject-alt-names: <%= @allow_subject_alt_names %>

    # allow CA to sign certificate requests that have authorization extensions.
    allow-authorization-extensions: <%= @allow_authorization_extensions %>

    # enable the separate CRL for Puppet infrastructure nodes
    enable-infra-crl: <%= @enable_infra_crl %>
}