Skip to content

Managing Certificate Policies

This page covers ongoing management of certificate policies, including viewing, editing, enabling or disabling, testing, and deleting policies.

Viewing Policies

All policies for the tenant are listed under AdminPolicies. Each entry shows:

  • Name and description
  • Domains — the domain patterns the policy applies to
  • Action — whether the policy applies to issuance, renewal, or both
  • Rules — the number of rules configured
  • Status — whether the policy is currently enabled

Select a policy to view its full configuration, including the matching criteria and the complete rule set.

Viewing the Raw Policy JSON

For integration, export, or auditing purposes, the raw JSON representation of a policy can be viewed:

  1. Navigate to AdminPolicies.
  2. Select the policy.
  3. Select View Raw.

This displays the policy's matching_criteria and rules in JSON format, suitable for use with the service account API.

Editing a Policy

  1. Navigate to AdminPolicies.
  2. Select the policy to edit.
  3. Update the name, description, matching criteria, or rules as needed.
  4. Save.

Changes take effect immediately for all subsequent certificate requests. Policies that are already in the process of being evaluated for an in-flight request are not retroactively affected.

Note: If you are tightening an existing policy (for example, converting a Soft Fail rule to Hard Fail), consider using the Policy Validator first to understand which existing certificate request patterns would now be blocked.

Enabling and Disabling a Policy

A policy can be enabled or disabled at any time.

To enable a policy:

  1. Navigate to AdminPolicies.
  2. Select the policy.
  3. Select Enable.

To disable a policy:

  1. Navigate to AdminPolicies.
  2. Select the policy.
  3. Select Disable.

A disabled policy is retained in the system but has no effect on certificate requests. This is useful for: - Temporarily suspending a policy without deleting it. - Preparing a policy before it is ready to go live. - Disabling a policy during an exceptional event (for example, an emergency certificate issuance that would otherwise fail policy checks).

Deleting a Policy

  1. Navigate to AdminPolicies.
  2. Select the policy to delete.
  3. Select Delete and confirm.

Deleting a policy removes it permanently. Any soft-fail warnings previously recorded against certificates from this policy remain on those certificates. Certificates that were previously blocked by a hard-fail rule are not retroactively issued.

Policy Validator

The Policy Validator is a pre-flight tool that shows how current policies would respond to a given certificate request, without issuing a certificate.

  1. Navigate to AdminPoliciesValidator.
  2. Enter the certificate parameters:
    • Common Name (required)
    • Subject Alternative Names
    • Organisation, OU, Country, State, Locality
    • Algorithm and Digest
    • Validity (days)
    • Key Usage and Extended Key Usage
  3. Select Validate.

The result shows:

  • Which policies matched the request
  • For each policy: each rule's pass/fail result, the failure mode (hard/soft), and the message that would be shown
  • The merged overall result — pass, hard fail, or soft fail with warnings
  • A field-level summary indicating which certificate parameters triggered violations

The Policy Validator is available to all authenticated users, not only Policy Administrators. This allows users and other administrators to diagnose policy-related issues with certificate requests without needing to involve a Policy Administrator.

Policy Test Tool

The Policy Test tool evaluates a specific policy in isolation against a certificate request. Unlike the Validator (which evaluates all matching policies), the Test tool targets a single policy by ID.

  1. Navigate to AdminPoliciesTest.
  2. Select the policy to test.
  3. Enter certificate parameters.
  4. Select Test.

This is useful for verifying that a newly created or recently edited policy behaves as expected before enabling it.

Exporting Policies

All policies for the tenant can be exported as a JSON file for backup, auditing, or transfer to another environment.

  1. Navigate to AdminPolicies.
  2. Select Export.

A file named policies_export_YYYY-MM-DD.json is downloaded. The file contains all policies for the tenant, ordered by name, and includes a metadata envelope with the export timestamp and policy count. Each policy entry contains its name, description, matching criteria, rules, and enabled status.

The export format is compatible with the policy import function, allowing policies to be moved between environments (for example, from staging to production).

Importing Policies

Policies can be imported from a previously exported JSON file.

  1. Navigate to AdminPolicies.
  2. Select Import.
  3. In the file upload section that appears, select a .json file in the export format produced by this system.
  4. Review the import result.

Behaviour during import:

  • Each policy in the file is validated independently using the same rules as when creating a policy manually.
  • Policies that pass validation are created for the current tenant.
  • Policies that fail validation are skipped — an error is shown for each failed policy, and the rest of the import continues.
  • Import always creates new policy records. It does not overwrite or update existing policies with matching names. If a policy already exists with the same name, both will coexist after import; review and remove duplicates manually if needed.

Import operations are recorded in the audit log, including the number of policies imported and the number of failures.

Monitoring Policy Impact

After enabling a new policy, monitor its impact through:

  • Audit Log — every policy violation (hard or soft) is recorded. Navigate to AdminAudit Log and filter for policy-related events.
  • Certificate Alerts — soft-fail violations are recorded as certificate alerts visible in CertificatesAlerts.

Review the audit log and alerts after deploying a new policy to confirm it is matching the intended requests and not producing unexpected failures on legitimate certificate operations.