Policies for Workload Identity Manager¶
Policies are sets of rules that determine how certificates can be issued. You create a policy, then you add rules to the policy. When new certificates are issued based on that policy, they must follow the rules set by the policy.
For example, if you only want to issue certificates that have a specific key type, you can create a rule that requires that key type be used.
Policies help maintain both order and security by ensuring Workload Identity Manager only issues the types of certificates you want.
Tip
We recommend you create a policy after you have created a subordinate CA provider. Show me how
To create a policy¶
Create your policy to specify the rules with which end entities must comply.
- Sign in to Venafi Control Plane.
- Click Policies > Workload Issuance Policies.
- On the Policies page, click New.
- Enter a Name for your new policy.
- Specify a Client Cert Validity.
- If the Workload Identity Manager client specifies a validity in their request, this is the maximum that will be allowed, but it will allow a lower value from the request.
- If the Workload Identity Manager client doesn't specify a validity, this value will be used.
-
Specify the Subject and Subject Alternative Names (SAN), which are used as the rules with which end entities must comply. The input fields accept both literal strings and regular expressions.
The Subject and SAN fields are standard TLS certificate fields. The Subject identifies the owner of the certificate. The SAN fields restrict how the certificate can be used; if it is used in a way not listed on the SANs, it won't be trusted.
What's a type?
Types are how Workload Identity Manager determines whether or not a specific CSR is valid.
- Ignored Use for properties that you don't want to appear in the issued certificate (whether it's requested or not).
- Forbidden Use for properties that you don't want included in the CSR.
- Optional Use for properties that you want included in the issued certificate; it will appear there as long as it complies with policy. The request will fail for properties that are requested but don't comply with policy. Also, if a property is not present in the request and policy default value will appear in the issued certificate (does not apply to CN or SANs).
- Required Use to require that a field must be specified in the CSR.
- Locked Use to prevent users from changing the common name you specify; and also to prevent adding additional common names.
How do I use Default Value for subjects?
- If the type is
Optional
, the Default Value determine what will be entered on the CSR if nothing is included in the request. - If the type is
Locked
, the Default Value is the only valid value and cannot be changed by a request.
Using regular expressions
The Subject and SAN fields accept both literal strings and regular expressions. To enter a regular expression value you must prefix it with the caret
^
symbol, and always append the$
symbol at the end. If you require a suffix, you can always use.*$
.Some examples of common uses¶
Common Name (CN) example that allows all subdomains of
acme.com
:^(?:\.|(?:[A-Za-z0-9-]+\.)*)acme\.com$
DNS (SAN) example that allows all subdomains except wildcards for
acme.com
:^[a-zA-Z0-9_-]+[.]acme[.]com$
IP Addresses (SAN) example that ensures the value complies with RFC 1918 (IPv4 private address):
^(?:10(?:\.\d{1,3}){3}|172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2}|192\.168(?:\.\d{1,3}){2})$
URI (SAN) example that allows any subdomain of
acme.com
that starts withhttps://
,ldaps://
, orspiffe://
:^(https|ldaps|spiffe)://.*\.acme\.com$
Email Addresses (SAN) example that allows all addresses that end in
acme.com
:^(?:[A-Za-z0-9._%+-]+)?@acme\.com$
Regular expression syntax reference¶
Syntax Description Example Matches *
Matches any number of characters including none. ^.*[.]acme[.]com
site-1.acme.com, www.acme.com, *.acme.com .
Matches a single character. ^.?team[.]acme[.]com
ateam.acme.com, bteam.acme.com, 1team.acme.com [abc]
Matches one character given in the bracket. ^[tmb]ike[.]acme[.]com
tike.acme.com, mike.acme.com, bike.acme.com [a-z]
Matches one character from the range given in the bracket. [w-z]-net[.]acme[.]com
w‑net.acme.com, x‑net.acme.com, y‑net.acme.com, z‑net.acme.com [^0-9]
Matches one character outside the range given in the bracket. ^[^0-3][yz][.]acme[.]com
4y.acme.com, 5z.acme.com, 6y.acme.com -
Under Key Constraint, select one or more key algorithms.
- If there is only one key algorithm, the Workload Identity Manager's clients must use that algorithm.
- If there are multiple key algorithms, the Workload Identity Manager's clients can use any of the approved algorithms. If no algorithm is specified, the one specified as the Default Value will be used.
- Key algorithms are always
Required
type.
-
Select Issuance Parameters options.
- Key usage. For a TLS certificates, select both
Digital Signature
ANDKey Encipherment
. - Extended key usage. Select one or more of the following:
- If issuing server certificates, select
Server Authentication
. - If issuing client certificates, select
Client Authentication
.
- If issuing server certificates, select
- Key usage. For a TLS certificates, select both
- When you're finished, click Create.
What's next?¶
Now that you have created a policy, your next step is to create a service account that will allow the Workload Identity Manager server to connect to the Venafi Control Plane using a specific configuration (that you will configure in a future step). However, before you can create a service account, you will need to create a team, if you haven't yet.
What do you want to do?
- I don't have a team (or I don't know if I do), so take me to the documentation on teams.
- I know my team is configured, so take me to the service account documentation.