Applies to:
All versions of Venafi Trust Protection Platform with TrustAuthority and TrustForce
Summary:
Venafi Trust Protection Platform (VTPP) allows you to integrate workflow management processes with its management of certificate lifecycles. Using Workflow objects, you can require approvals or run SSH or PowerShell commands at stages of the certificate lifecycle. You can apply the workflows to an entire policy, or limit their action to only certificates associated with a specific application type such as a GSK keystore or Apache web server. This article will describe the best practice workflow that should be used with VTPP
More Info:
Best Practice Workflow Reason Codes
Workflow objects define an approval step or automated action that occurs at a predefined stage. Workflow objects are assigned to Policies and child Policies can be configured to block Workflow objects defined by their parents. Workflow are generally applied to the process at decision points where human intervention or review is needed prior to continuing in the process.
Workflow will be aligned by Policy and requesting group, with more rigorous approval requirements for teams that require more assistance with the certificate request processes."
Setting up an Approval Workflow starts by creating a Reason Code using the “Workflow” tree of the WebAdmin console. The Reason Code is assigned a unique numeric identifier and a name by which it appears for assignment within a Workflow object. The Reason Code “Description” is the text that will appear in the approval Notification email, and macros can be used to insert attributes of the object for which the approval applies. These are some of the best practice reason codes that should be created.
Reason Code |
Name |
Description |
1 |
Approval for Renewal (Stage 0) |
The certificate with common name of "$Config[$Config[$SelfDN$,Owner Object]$,X509 Subject]$" is being enrolled. Approval is required for this process to proceed. |
2 |
Approval for Enrollment (Stage 500) |
The CSR for "$Config[$Config[$SelfDN$,Owner Object]$,X509 Subject]$" is waiting to be signed by the $CN[$Policy[$Config[$SelfDN$,Owner Object]$,Certificate Authority]$]$ CA. Approval is required for this process to proceed. |
3 |
Approval for Installation (Stage 800) |
The certificate for the $CN[$Config[$SelfDN$,Owner Object]$]$ application is now ready to be installed on the $CN[$ParentDN[$Config[$SelfDN$,Owner Object]$]$]$ device. Approval is required for this process to proceed. |
4 |
Approval for Service Restart (Stage 1100) |
The certificate for the $CN[$Config[$SelfDN$,Owner Object]$]$ application has been installed on the $CN[$ParentDN[$Config[$SelfDN$,Owner Object]$]$]$ device, and the application is now pending a restart for the installation to be complete. Approval is required for this process to proceed. |
5 |
Approval for Revocation (Stage 1400) |
A request has been made to revoke a certificate which has a common name of "$Config[$Config[$SelfDN$,Owner Object]$,X509 Subject]$". Approval is required for this process to proceed. |
Best Practice Workflows
Once a Reason Code has been defined you can create a Workflow object in the Policy Tree. The Workflow object defines the stage at which it will apply, who will be authorized to approve it, and the Reason Code that ideally explains to the user why approval is needed. Workflow objects should be created in the Policy tree under a policy named Workflow. Workflows can also include SSH or PowerShell commands that can be injected at selected stages.
The completed Workflow object can then be assigned to a Policy so that it will apply to any certificate lifecycle processing that happens for the Certificates and Applications it contains. These are some of the workflows that should be created.
Stage |
Name |
Description |
Approver |
0 |
Stage 0 Manager Approval |
The purpose of this Workflow is to determine if a new requested certificate is needed prior to issuing the certificate. An email will be sent to a Manager or delegate asking them to respond to approve/reject the new certificate request. An approver other than the requestor must approve the workflow to begin the processing of the certificate. The approver at the time of this writing is TBD. |
Manager |
500 |
Stage 500 CA Governance Approval |
This stage allows review by a registration authority (RA) for both new and renewed certificates. An RA is an authority that verifies user requests for a digital certificate and, if approved, tells the certificate authority (CA) to issue the certificate. In many environments, the PKI Admin acts as the organization’s RA. |
PKI Admin |
800 |
Stage 800 Provisioning Approval |
Will be applied to all provisioning policies to control the time of the certificate installation. Workflow approvals can be scheduled for future times to align with Change Control times. The team who holds operational responsibility for the system and or application where the certificate is to be installed will approve this. |
Device/Application Owner |
1100 |
Stage 1100 Application Restart Approval |
Will be applied to all provisioning policies to control the time of the service restart. SSH command injection will be used to bounce the service so that the new certificate that was installed is put into use. Workflow approvals can be scheduled for future times to align with Change Control times. The team who holds operational responsibility for the system and or application where the certificate is to be installed will approve this. |
Device/Application Owner |
1400 |
Stage 1400 Revocation Approval |
Will be applied at the top level policy for approval before certificate revocation. |
PKI Admin |
Comments