Approval Workflows¶
Approval Workflows allow you to gate certificate operations behind a human approval step. When a certificate generation or revocation request matches a configured workflow, the operation is paused and designated approvers are notified by email. The operation only proceeds after an approver explicitly accepts the request.
Approval Workflows are accessible via Policies > Approvals in the sidebar.
Why Use Approval Workflows¶
Certificate issuance and revocation are security-significant events. In many organisations, the person requesting a certificate is not the same person who should authorise it. Approval Workflows make this separation of duties enforceable at the platform level without requiring manual coordination outside the system.
Common use cases:
- Regulated environments — compliance requirements mandate that certificate issuance for production systems is reviewed by a security officer before proceeding.
- High-value domains — wildcard or top-level domain certificates require a second set of eyes before issuance.
- Revocation controls — prevent accidental or unauthorised revocation of certificates that back critical services.
- Cross-team authorisation — a business owner or application owner (who may not be a PKI admin) needs to approve certificates for their domain.
Trigger Events¶
Each workflow is configured for one of three trigger events:
| Trigger | When the workflow applies |
|---|---|
generate |
Certificate generation requests (new issuance) |
revoke |
Certificate revocation requests |
both |
Both generation and revocation |
Domain Pattern Matching¶
A workflow only applies when the certificate's Common Name (CN) or one of its Subject Alternative Names (SANs) matches a domain pattern configured on the workflow.
Three pattern types are supported:
| Pattern | Example | Matches |
|---|---|---|
| Exact | api.example.com |
Only api.example.com |
| Wildcard subdomain | *.example.com |
mail.example.com, api.example.com — but not example.com |
| Catch-all | * |
Any domain |
Matching is evaluated against both the CN and all SANs. A certificate with any matching domain triggers the workflow.
Renewal Bypass¶
Automated certificate renewal is a common operational pattern — renewal threshold jobs, ACME clients, and Bridge-driven renewals all operate without human interaction. Requiring approval on every renewal would break these automations.
Each workflow has a Bypass on Renewal toggle. When enabled, the workflow is skipped for renewal operations and the certificate is renewed immediately without waiting for approval. When disabled, renewals are held for approval like any other generation request.
Approval Requests¶
When a certificate operation matches an enabled workflow, the platform creates an Approval Request and places the operation in a pending state. The CertificateOrder is marked awaiting_approval.
An approval request progresses through the following statuses:
| Status | Meaning |
|---|---|
pending |
Waiting for an approver to act |
approved |
An approver accepted the request; the operation has been dispatched |
rejected |
An approver rejected the request; the operation is cancelled |
expired |
The request exceeded its configured timeout and was automatically closed |
bypassed |
The request was skipped because the operation was a renewal and bypass was enabled |
Email Notifications¶
When an approval request is created, every user listed as an approver on the matched workflow receives an email notification. The email includes:
- The certificate Common Name
- The matched domain pattern
- The trigger event type (generate or revoke)
- The requesting user's name
- A link to the Approvals page
Required Approvals¶
A workflow can require more than one approval before the operation proceeds. The Required Approvals field controls how many approvers must accept a request. This supports two-person integrity requirements for sensitive certificate operations.
Approval Timeout¶
Workflows can be configured with an Approval Timeout (in hours). If no decision is made within that window, the approval request is automatically set to expired and the pending operation is not dispatched.
Setting a timeout to null (or leaving it blank) means requests remain open indefinitely until manually decided.
Access Control¶
| Action | Required role |
|---|---|
| Create, edit, delete, enable or disable workflows | policy_admin or super_admin |
| Approve or reject a request | Any user listed as an approver on the matched workflow, or policy_admin/super_admin |
Approver designation has no role restriction — any user registered on your tenant can be designated as an approver. This allows business owners or security officers to approve certificates for their domains without needing a PKI administrator role.
Next Steps¶
- Setting up Approval Workflows — create and configure your first workflow.
- Managing Approval Requests — view, approve, and reject pending requests.
- Service Account API — manage workflows programmatically.
- Best Practices for Approval Workflows — guidance on scoping, approver selection, and timeout configuration.