certificate-authority: {
    # allow CA to sign certificate requests that have subject alternative names.
    # allow-subject-alt-names: false

    # allow CA to sign certificate requests that have authorization extensions.
    # allow-authorization-extensions: false

    # enable the separate CRL for Puppet infrastructure nodes
    # enable-infra-crl: false
}