Skip to content

Approval Workflows

Approval Workflows allow you to gate certificate operations behind a human approval step. When a certificate generation or revocation request matches a configured workflow, the operation is paused and designated approvers are notified by email. The operation only proceeds after an approver explicitly accepts the request.

Approval Workflows are accessible via Policies > Approvals in the sidebar.


Why Use Approval Workflows

Certificate issuance and revocation are security-significant events. In many organisations, the person requesting a certificate is not the same person who should authorise it. Approval Workflows make this separation of duties enforceable at the platform level without requiring manual coordination outside the system.

Common use cases:

  • Regulated environments — compliance requirements mandate that certificate issuance for production systems is reviewed by a security officer before proceeding.
  • High-value domains — wildcard or top-level domain certificates require a second set of eyes before issuance.
  • Revocation controls — prevent accidental or unauthorised revocation of certificates that back critical services.
  • Cross-team authorisation — a business owner or application owner (who may not be a PKI admin) needs to approve certificates for their domain.

Trigger Events

Each workflow is configured for one of three trigger events:

Trigger When the workflow applies
generate Certificate generation requests (new issuance)
revoke Certificate revocation requests
both Both generation and revocation

Domain Pattern Matching

A workflow only applies when the certificate's Common Name (CN) or one of its Subject Alternative Names (SANs) matches a domain pattern configured on the workflow.

Three pattern types are supported:

Pattern Example Matches
Exact api.example.com Only api.example.com
Wildcard subdomain *.example.com mail.example.com, api.example.com — but not example.com
Catch-all * Any domain

Matching is evaluated against both the CN and all SANs. A certificate with any matching domain triggers the workflow.


Renewal Bypass

Automated certificate renewal is a common operational pattern — renewal threshold jobs, ACME clients, and Bridge-driven renewals all operate without human interaction. Requiring approval on every renewal would break these automations.

Each workflow has a Bypass on Renewal toggle. When enabled, the workflow is skipped for renewal operations and the certificate is renewed immediately without waiting for approval. When disabled, renewals are held for approval like any other generation request.


Approval Requests

When a certificate operation matches an enabled workflow, the platform creates an Approval Request and places the operation in a pending state. The CertificateOrder is marked awaiting_approval.

An approval request progresses through the following statuses:

Status Meaning
pending Waiting for an approver to act
approved An approver accepted the request; the operation has been dispatched
rejected An approver rejected the request; the operation is cancelled
expired The request exceeded its configured timeout and was automatically closed
bypassed The request was skipped because the operation was a renewal and bypass was enabled

Email Notifications

When an approval request is created, every user listed as an approver on the matched workflow receives an email notification. The email includes:

  • The certificate Common Name
  • The matched domain pattern
  • The trigger event type (generate or revoke)
  • The requesting user's name
  • A link to the Approvals page

Required Approvals

A workflow can require more than one approval before the operation proceeds. The Required Approvals field controls how many approvers must accept a request. This supports two-person integrity requirements for sensitive certificate operations.


Approval Timeout

Workflows can be configured with an Approval Timeout (in hours). If no decision is made within that window, the approval request is automatically set to expired and the pending operation is not dispatched.

Setting a timeout to null (or leaving it blank) means requests remain open indefinitely until manually decided.


Access Control

Action Required role
Create, edit, delete, enable or disable workflows policy_admin or super_admin
Approve or reject a request Any user listed as an approver on the matched workflow, or policy_admin/super_admin

Approver designation has no role restriction — any user registered on your tenant can be designated as an approver. This allows business owners or security officers to approve certificates for their domains without needing a PKI administrator role.


Next Steps