Schema for :ref:`server-plugins-generators-cfg-ssl-certificates` ``sslformat.xml`` An **SSLCAFormatGroupType** is a tag used to provide logic. Child entries of an SSLCAFormatGroupType tag only apply to machines that match the condition specified -- either membership in a group, or a matching client name. :xml:attribute:`SSLCAFormatGroupType:negate` can be set to negate the sense of the match. The name of the client or group to match on. Child entries will only apply to this client or group (unless :xml:attribute:`SSLCAFormatGroupType:negate` is set). Negate the sense of the match, so that child entries only apply to a client if it is not a member of the given group or does not have the given name. Available cert formats Available ker formats Format of the cert in the generated format. Currently only ``pem`` and ``der`` is supported. Format of the key in the generated format. Currently only ``pem`` and ``der`` is supported. The full path to the cert entry to use for this format. This is the *client* path; e.g., for a cert defined at ``/var/lib/bcfg2/SSLCA/etc/pki/tls/private/foo.pem/sslcert.xml``, **cert** should be ``/etc/pki/tls/private/foo.pem``. This if required if the cert is used in the format. The full path to the key entry to use for this certificate. This is the *client* path; e.g., for a key defined at ``/var/lib/bcfg2/SSLCA/etc/pki/tls/private/foo.key/sslkey.xml``, **key** should be ``/etc/pki/tls/private/foo.key``. This is only required if the key is used in the format and **cert** is not a SSLCA generated cert. Top-level tag for describing an SSLCA generated cert format.