module: ietf-keystore
  +--rw keystore {central-keystore-supported}?
     +--rw asymmetric-keys {asymmetric-keys}?
     |  +--rw asymmetric-key* [name]
     |     +--rw name                           string
     |     +--rw public-key-format?             identityref
     |     +--rw public-key?                    binary
     |     +--rw private-key-format?            identityref
     |     +--rw (private-key-type)
     |     |  +--:(cleartext-private-key) {cleartext-private-keys}?
     |     |  |  +--rw cleartext-private-key?   binary
     |     |  +--:(hidden-private-key) {hidden-private-keys}?
     |     |  |  +--rw hidden-private-key?      empty
     |     |  +--:(encrypted-private-key) {encrypted-private-keys}?
     |     |     +--rw encrypted-private-key
     |     |        +--rw encrypted-by
     |     |        |  +--rw (encrypted-by)
     |     |        |     +--:(central-symmetric-key-ref)
     |     |        |     |        {central-keystore-supported,symmetric-keys}?
     |     |        |     |  +--rw symmetric-key-ref?
     |     |        |     |          ks:central-symmetric-key-ref
     |     |        |     +--:(central-asymmetric-key-ref)
     |     |        |              {central-keystore-supported,asymmetric-keys}?
     |     |        |        +--rw asymmetric-key-ref?
     |     |        |                ks:central-asymmetric-key-ref
     |     |        +--rw encrypted-value-format    identityref
     |     |        +--rw encrypted-value           binary
     |     +--rw certificates
     |     |  +--rw certificate* [name]
     |     |     +--rw name                      string
     |     |     +--rw cert-data                 end-entity-cert-cms
     |     |     +---n certificate-expiration
     |     |             {certificate-expiration-notification}?
     |     |        +-- expiration-date    yang:date-and-time
     |     +---x generate-csr {csr-generation}?
     |        +---w input
     |        |  +---w csr-format    identityref
     |        |  +---w csr-info      csr-info
     |        +--ro output
     |           +--ro (csr-type)
     |              +--:(p10-csr)
     |                 +--ro p10-csr?   p10-csr
     +--rw symmetric-keys {symmetric-keys}?
        +--rw symmetric-key* [name]
           +--rw name                             string
           +--rw key-format?                      identityref
           +--rw (key-type)
              +--:(cleartext-symmetric-key)
              |  +--rw cleartext-symmetric-key?   binary
              |          {cleartext-symmetric-keys}?
              +--:(hidden-symmetric-key) {hidden-symmetric-keys}?
              |  +--rw hidden-symmetric-key?      empty
              +--:(encrypted-symmetric-key)
                       {encrypted-symmetric-keys}?
                 +--rw encrypted-symmetric-key
                    +--rw encrypted-by
                    |  +--rw (encrypted-by)
                    |     +--:(central-symmetric-key-ref)
                    |     |        {central-keystore-supported,symmetric-keys}?
                    |     |  +--rw symmetric-key-ref?
                    |     |          ks:central-symmetric-key-ref
                    |     +--:(central-asymmetric-key-ref)
                    |              {central-keystore-supported,asymmetric-keys}?
                    |        +--rw asymmetric-key-ref?
                    |                ks:central-asymmetric-key-ref
                    +--rw encrypted-value-format    identityref
                    +--rw encrypted-value           binary