Creating a certificate approval workflow¶
The approval and rejection process for certificate requests is straightforward and secure. When a certificate request triggers a rule, it enters the "In Approval" status and awaits the approval of designated approvers. Final approvers, if set, play a crucial role at the end of the approval chain.
Keep in mind that approvals are irreversible, while a single rejection leads to immediate denial of the request. Only the System Administrator and PKI Administrator roles can manage rules, and they retain overriding authority to approve any request, ensuring flexibility in exceptional situations.
Before you start¶
- Make sure that your account is assigned either the System Administrator or PKI Administrator roles (required to create and manage approvals).
- You must have access to at least one existing CA account, issuing template, or application. If not, create them first before continuing.
- Determine who you want your approvers to be (which can be individuals or teams).
To create a certificate approval workflow¶
- Sign in to Venafi Control Plane.
- Click Policies > Approvals.
- Click New.
- Enter a name for your new approval workflow.
-
Under Conditions, select at least one of the following: CA account, issuing template, or application.
Control Plane uses an AND operator when you select two or more. For example, if you select a CA account and an issuing template, both are included in the rule:
[CA Template] AND [Issuing Template]
.If you add more than a single value in any of the three conditions, they are treated as OR operations. For example, if you selected three CA Accounts:
[CA Template 1] OR [CA Template 2] OR [CA Template 3]
. -
Under Exceptions, select conditions under which your new rule should be ignored:
- Applications: if a certificate request originates from the applications you specify, then the request won't require approval regardless of other conditions.
- Requestors: if the request is submitted by specified users or teams, it will also not require approval. These exceptions offer a layer of flexibility in automating the approval workflow.
- Specify whether the system should Continue Processing on Exception. When this feature is enabled, a certificate request that is evaluated by this rule but matches an exception in this rule, will be processed by the next approval rule in the list. If this feature is disabled, certificates that match the exception criteria will not be processed by further rules.
-
If desired, enable Automatic Approval on Renewal. When enabled for an approval rule, renewal requests will be automatically approved as long as they meet all of the following requirements:
- Renewal request has the same Subject DN as the initial certificate request.
- Renewal request has the same Subject Alternative Names (SANs) as the initial certificate request.
- Renewal request uses the same Issuing Template as the initial certificate request.
- A prior version of the certificate triggered a rule and was approved. This means that certificates that didn't go through an approval process won't be automatically renewed until they have gone through an approval.
Any request that doesn't meet all these criteria will still require approval.
-
Under Approvers, select teams or users with System Administrator, PKI Administrator or Resource Owner roles.
-
Under Approval Type, select one of the following options:
- All: use this option to require that all approvers approve a request before it goes to the final approver (optional), or is otherwise rejected or approved.
- At Least: use this option to specify a required minimum number of approvers.
Verify the minimum number or reviewers
Ensure that the number of minimum approvers required matches or exceeds the number of users (or team members) assigned to the approval task. If the number of required approvers is greater than the assigned reviewers, the approval will automatically be rejected after a specified duration (details below).
A team can comprise numerous members. Therefore, focus on the actual number of end users directly assigned or assigned via team allocation for the review, rather than the count in the 'At Least' option.
-
(Optional) Click Final Approver to select who should be the last person to approve.
-
Under Auto Reject Request, review the setting and update if needed. If final approval isn't given on an approval item within this time frame it will be automatically rejected. Be aware that this time frame is calendar days, not business days, so it doesn't take into account weekends or holidays.
-
When you're finished, click Save.
Next steps¶
Test your new workflow by requesting a new certificate that meets your approval rules. Then look on the Certificate Requests page to see the status.