Skip to content

Managing Approval Requests

When a certificate operation matches an enabled Approval Workflow, an approval request is created and the operation is held pending a decision. This page covers how to view, approve, and reject those requests.


Viewing Approval Requests

Navigate to Policies > Approvals and select the Requests tab.

The requests list shows all approval requests visible to your account:

  • Users with the policy_admin or super_admin role see all requests for the tenant.
  • All other users see only requests where their account is listed as an approver on the matched workflow.

Request Details

Each row in the list shows:

Column Description
Workflow The name of the workflow that triggered the request
Certificate CN The Common Name of the certificate involved
Matched Domain The specific domain pattern that triggered the match
Event Whether this is a generate or revoke request
Requested by The user who initiated the certificate operation
Requested at Timestamp of when the request was created
Status Current status of the request

Filtering by Status

Use the status filter dropdown to narrow the list:

Filter Shows
Pending Requests awaiting a decision
Approved Requests that have been approved
Rejected Requests that have been rejected
Expired Requests that timed out before a decision was made
All All requests regardless of status

The default view shows pending requests. The pending count is displayed as a badge on the Requests tab header.


Approving a Request

To approve a request:

  1. Locate the request in the pending list.
  2. Select Approve.
  3. Optionally, enter a note in the Decision Notes field to record your reasoning or reference a ticket number.
  4. Confirm the approval.

When a request is approved:

  • The approval request status is set to approved.
  • For generation requests: the CertificateOrder is returned to pending status and the certificate generation job is re-dispatched. The certificate issues through the normal pipeline.
  • For revocation requests: the revocation call is made immediately to the Back Control Plane.
  • An audit log entry is created with your user details, timestamp, and any decision notes.

Rejecting a Request

To reject a request:

  1. Locate the request in the pending list.
  2. Select Reject.
  3. Optionally, enter a note in the Decision Notes field explaining the reason for rejection.
  4. Confirm the rejection.

When a request is rejected:

  • The approval request status is set to rejected.
  • For generation requests: the CertificateOrder status is set to cancelled. The certificate is not issued.
  • For revocation requests: the revocation is not performed. The certificate remains active.
  • An audit log entry is created.

The requester is not automatically notified of a rejection — they can monitor the status of their CertificateOrder in the certificates list, or check the Requests tab directly if they have access.


Expired Requests

If a workflow is configured with an Approval Timeout, requests that are not decided within that window are automatically set to expired. An expired request is treated as a non-decision — the operation is not dispatched.

For generation requests: the CertificateOrder remains in awaiting_approval status. The requester must submit a new certificate request.

Expired requests are visible under the Expired filter in the requests list.


Bypassed Requests

When a certificate renewal triggers a workflow that has Bypass on Renewal enabled, the request is recorded with a status of bypassed and the renewal proceeds without waiting for a decision. Bypassed requests appear in the requests list for audit purposes.


Audit Log

All approval-related actions are recorded in the platform audit log:

Event Recorded when
approval_request.created A new approval request is created (operation blocked)
approval_request.approved An approver approves a request
approval_request.rejected An approver rejects a request
approval_request.bypassed A request is bypassed due to renewal bypass

Each entry includes the user who took the action, the timestamp, the workflow and certificate details, and any decision notes provided.


Next Steps