Creating a certificate issuance workflow¶

The approval and rejection process for certificate requests is straightforward and secure. When a certificate request triggers a rule, it enters the "In Approval" status and awaits the approval of designated approvers. Final approvers, if set, play a crucial role at the end of the approval chain.

Keep in mind that approvals are irreversible, while a single rejection leads to immediate denial of the request. Only the System Administrator and PKI Administrator roles can manage rules, and they retain overriding authority to approve any request, ensuring flexibility in exceptional situations.

Before you start¶

• Make sure that your account is assigned either the System Administrator or PKI Administrator roles (required to create and manage approvals).
• You must have access to at least one existing CA account, issuing template, or application. If not, create them first before continuing.
• Determine who you want your approvers to be (which can be individuals or teams).

To create a certificate issuance workflow¶

1. Sign in to Venafi Control Plane.
2. Click Policies > Approval Rules.
3. Click New.
4. Click the Issuance Approval Rule Type, then click Continue.

5. Enter a name for your new approval workflow. Next, specify the Conditions to evaluate the certificate request against. If a request matches the specified conditions, the rest of the criteria specified below will apply. If a request doesn't match the specified conditions, the system will evaluate the request against the next rule from the Issuance list.'

6. Under Conditions, select at least one of the following: CA account, issuing template, or application.

   • Control Plane uses an AND operator when you select two or more. For example, if you select a CA account and an issuing template, both are included in the rule: [CA Template] AND [Issuing Template].
   • If you add more than a single value in any of the three conditions, they are treated as OR operations. For example, if you selected three CA Accounts: [CA Template 1] OR [CA Template 2] OR [CA Template 3].

   Next, you can specify Exceptions. If a request matches an exception, and the Continue Processing on Exceptions switch is disabled, then the issuance request will automatically be approved and sent to the CA for processing. If the request does not match an exception, then this approval request is triggered, and the approver or approvers specified in this rule will need to approve the request before it is sent to the CA.

7. (Optional) Add exceptions by specifying Applications or Requestors that will be excluded from this rule.

   • Applications: if a certificate request originates from the applications you specify, then the request won't require approval regardless of other conditions.
   • Requestors: if the request is submitted by specified users or teams, it will also not require approval.

   These exceptions offer a layer of flexibility in automating the approval workflow.

8. (Optional) Decide if you want to Continue Processing on Exception.

   • If this switch is disabled (default), when a certificate request matches the exception criteria, all approval rule evaluation stops, and the certificate request is automatically approved.
   • If this switch is enabled, when a certificate request matches the exception criteria, processing of this rule stops, and the next rule in line is evaluated.

9. If desired, enable Automatic Approval on Renewal. When enabled for an approval rule, renewal requests will be automatically approved as long as they meet all of the following requirements:

   • Renewal request has the same Subject DN as the initial certificate request.
   • Renewal request has the same Subject Alternative Names (SANs) as the initial certificate request.
   • Renewal request uses the same Issuing Template as the initial certificate request.
   • A prior version of the certificate triggered a rule and was approved. This means that certificates that didn't go through an approval process won't be automatically renewed until they have gone through an approval.

   Any request that doesn't meet all these criteria will still require approval.

10. Under Approvers, select teams or users with System Administrator, PKI Administrator or Resource Owner roles.

11. Under Approval Type, select one of the following options:

    • All: use this option to require that all approvers approve a request before it goes to the final approver (optional), or is otherwise rejected or approved.
    • At Least: use this option to specify a required minimum number of approvers.

    Verify the minimum number of reviewers

    Ensure that the number of minimum approvers required matches or exceeds the number of users (or team members) assigned to the approval task. If the number of required approvers is greater than the assigned reviewers, the approval will automatically be rejected after a specified duration (details below).

    A team can be comprised of numerous members. Therefore, focus on the actual number of end users directly assigned or assigned via team allocation for the review, rather than the count in the 'At Least' option.

12. (Optional) Click Final Approver to select who should be the last person to approve. This person must have one of the following roles: System Administrator, PKI Administrator, or Resource Owner.

13. Under Auto Reject Request, review the setting and update if needed. If final approval is not given within the specified time frame, the approval item will be automatically rejected. Be aware that this time frame is calendar days, not business days, so it doesn't take into account weekends or holidays.

14. When you're finished, click Save.

Next steps¶

Test your new workflow by requesting a new certificate that meets your approval rules. Then look on the Certificate Requests page to see the status.

Related links¶

• Creating a certificate approval workflow
• Learn about the Certificate Approval rules list
• Approving or rejecting certificate requests
• Reference: API endpoint for certificate approvals