Skip to content

Policies for Workload Identity Manager

Policies are sets of rules that determine how certificates can be issued. You create a policy, then you add rules to the policy. When new certificates are issued based on that policy, they must follow the rules set by the policy.

For example, if you only want to issue certificates that have a specific key type, you can create a rule that requires that key type be used.

Policies help maintain both order and security by ensuring Workload Identity Manager only issues the types of certificates you want.

Tip

We recommend you create a policy after you have created a subordinate CA provider. Show me how

To create a policy

Create your policy to specify the rules with which end entities must comply.

  1. Sign in to Venafi Control Plane.
  2. Click Policies > Workload Issuance Policies.
  3. On the Policies page, click New.
  4. Enter a Name for your new policy.
  5. Specify a Client Cert Validity.
    • If the Workload Identity Manager client specifies a validity in their request, this is the maximum that will be allowed, but it will allow a lower value from the request.
    • If the Workload Identity Manager client doesn't specify a validity, this value will be used.
  6. Specify the Subject and Subject Alternative Names (SAN), which are used as the rules with which end entities must comply. The input fields accept both literal strings and regular expressions.

    The Subject and SAN fields are standard TLS certificate fields. The Subject identifies the owner of the certificate. The SAN fields restrict how the certificate can be used; if it is used in a way not listed on the SANs, it won't be trusted.

    What's a type?

    Types are how Workload Identity Manager determines whether or not a specific CSR is valid.

    • Ignored Use for properties that you don't want to appear in the issued certificate (whether it's requested or not).
    • Forbidden Use for properties that you don't want included in the CSR.
    • Optional Use for properties that you want included in the issued certificate; it will appear there as long as it complies with policy. The request will fail for properties that are requested but don't comply with policy. Also, if a property is not present in the request and policy default value will appear in the issued certificate (does not apply to CN or SANs).
    • Required Use to require that a field must be specified in the CSR.
    • Locked Use to prevent users from changing the common name you specify; and also to prevent adding additional common names.
    How do I use Default Value for subjects?
    • If the type is Optional, the Default Value determine what will be entered on the CSR if nothing is included in the request.
    • If the type is Locked, the Default Value is the only valid value and cannot be changed by a request.

    Using regular expressions

    The Subject and SAN fields accept both literal strings and regular expressions. To enter a regular expression value you must prefix it with the caret ^ symbol, and always append the $ symbol at the end. If you require a suffix, you can always use .*$.

    Some examples of common uses

    Common Name (CN) example that allows all subdomains of acme.com:

    ^(?:\.|(?:[A-Za-z0-9-]+\.)*)acme\.com$
    

    DNS (SAN) example that allows all subdomains except wildcards for acme.com:

    ^[a-zA-Z0-9_-]+[.]acme[.]com$
    

    IP Addresses (SAN) example that ensures the value complies with RFC 1918 (IPv4 private address):

    ^(?:10(?:\.\d{1,3}){3}|172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2}|192\.168(?:\.\d{1,3}){2})$
    

    URI (SAN) example that allows any subdomain of acme.com that starts with https://, ldaps://, or spiffe://:

    ^(https|ldaps|spiffe)://.*\.acme\.com$
    

    Email Addresses (SAN) example that allows all addresses that end in acme.com:

    ^(?:[A-Za-z0-9._%+-]+)?@acme\.com$
    

    Regular expression syntax reference

    Syntax Description Example Matches
    * Matches any number of characters including none. ^.*[.]acme[.]com site-1.acme.com, www.acme.com, *.acme.com
    . Matches a single character. ^.?team[.]acme[.]com ateam.acme.com, bteam.acme.com, 1team.acme.com
    [abc] Matches one character given in the bracket. ^[tmb]ike[.]acme[.]com tike.acme.com, mike.acme.com, bike.acme.com
    [a-z] Matches one character from the range given in the bracket. [w-z]-net[.]acme[.]com w‑net.acme.com, x‑net.acme.com, y‑net.acme.com, z‑net.acme.com
    [^0-9] Matches one character outside the range given in the bracket. ^[^0-3][yz][.]acme[.]com 4y.acme.com, 5z.acme.com, 6y.acme.com
  7. Under Key Constraint, select one or more key algorithms.

    • If there is only one key algorithm, the Workload Identity Manager's clients must use that algorithm.
    • If there are multiple key algorithms, the Workload Identity Manager's clients can use any of the approved algorithms. If no algorithm is specified, the one specified as the Default Value will be used.
    • Key algorithms are always Required type.
  8. Select Issuance Parameters options.

    • Key usage. For a TLS certificates, select both Digital Signature AND Key Encipherment.
    • Extended key usage. Select one or more of the following:
      • If issuing server certificates, select Server Authentication.
      • If issuing client certificates, select Client Authentication.
  9. When you're finished, click Create.

What's next?

Now that you have created a policy, your next step is to create a service account that will allow the Workload Identity Manager server to connect to the Venafi Control Plane using a specific configuration (that you will configure in a future step). However, before you can create a service account, you will need to create a team, if you haven't yet.

What do you want to do?