Skip to content

Managing certificate revocation approval workflows

Certificate revocation approval ensures that the process of revoking certificates is handled securely and with oversight. In environments with distributed responsibility, it's important to control who can revoke certificates to prevent mistakes or unauthorized revocations. TLS Protect Cloud introduces a certificate revocation approval workflow, allowing PKI administrators to create approval rules that govern who can revoke certificates, ensuring that only authorized users can approve revocation requests. This adds a layer of security to certificate lifecycle management, preventing unauthorized or accidental revocations that could compromise your infrastructure.

Administrators can designate specific users or teams as approvers for revocation requests, configure approval rules, and manage the approval process directly from the user interface (UI) or API. Approval rules can also be tailored to require one or multiple approvers based on organizational needs. Additionally, notifications ensure that approvers are alerted when action is needed, and auto-rejection policies help manage stale requests, improving efficiency.

Revocation requests will be reviewed against the rules on the Revocation tab in order of priority.

This topic outlines how to manage certificate revocation approvals in TLS Protect Cloud, including how to create and update approval rules, handle approval requests, and monitor the status of revocation requests.

Creating a certificate revocation approval rule

  1. Sign in to Venafi Control Plane.
  2. Click Policies > Approval Rules.
  3. Click New.
  4. Click Revocation Approval Rule Type, then click Continue.

  5. Enter a name for your new revocation workflow. Next, you need to specify the Conditions to evaluate the revocation request against. If a request matches the specified conditions, the rest of the criteria specified below will apply. If a request doesn't match the specified conditions, the system will evaluate the request against the next rule from the Revocation list.

  6. Select at least one CA Account from the list of available certificate authorities. !!! important Currently the only CAs that support revocation from TLS Protect Cloud are MS AD CS and Zero Touch PKI, so make sure you select a valid CA Account.

    Next, you can specify Exceptions. If a request matches an exception, and the Continue Processing on Exceptions switch is disabled, the revocation request will automatically be approved and sent to the CA for processing. If the request does not match an exception, then this approval request is triggered, and the approver or approvers specified in this rule will need to approve the request before it is sent to the CA.

  7. (Optional) Add exceptions by specifying Applications or Requestors that will be excluded from this rule.

    • Applications: if a revocation request originates from the applications you specify, the request won't require approval regardless of other conditions.
    • Requestors: if the request is submitted by specified users or teams, it will also not require approval.

    These exceptions offer a level of flexibility in automating the revocation workflow.

  8. (Optional) Decide if you want to Continue Processing on Exception.

    • If this switch is disabled (default), when a revocation request matches the exception criteria, all approval rule evaluation stops, and the revocation request is automatically approved.
    • If this switch is enabled, when a revocation request matches the exception criteria, processing of this rule stops, and the next rule in line is evaluated.

  9. Under Approval Type, select one of the following options:

    • All: use this option to require that all approvers approve a request before it goes to the final approver (optional), or is otherwise rejected or approved.
    • At Least: use this option to specify a required minimum number of approvers.

    Verify the minimum number of reviewers.

    Ensure that the number of minimum approvers required matches or exceeds the number of users (or team members) assigned to the approval task. If the number of required approvers is greater than the assigned reviewers, the approval will automatically be rejected after a specified duration (details below).

    A team can comprise numerous members. Therefore, focus on the actual number of end users directly assigned or assigned via team allocation for the review, rather than the count in the 'At Least' option.

  10. (Optional) Add a final approver by selecting an System Administrator, PKI Administrator or Resource Owner.

  11. Under Auto Reject Request, review the setting and update if needed. If final approval isn't given for an approval item within this time frame it will be automatically rejected. Be aware that this time frame is calendar days, not business days, so it doesn't take into account weekends or holidays.

  12. When you're finished, click Save.

By using certificate revocation approval rules, you can ensure that only authorized users approve or reject revocation requests, adding an important layer of security to your certificate management process.