Why does "No Local Dual Control" appear in Aperture?

Applies To:

Trust Protection Platform 14.x and above


When looking at a certificate is aperture you see a message that states "No Local Dual Control".


In order to meet some audit requirements, certificates need to have more than one person overseeing the processing of certificates.  This means that there should be at least one Approval Workflow with stages 0-700 or 1400 assigned to the certificate. This field allows Venafi Administrators to find certificates that have this security/audit risk so that dual control can be applied.



To resolve this message assign an enrollment or revocation workflow to a policy container.  The message in Aperture will then disappear.


More Information:

SANS CSC 17-14, states: "Define roles and responsibilities related to management of encryption keys within the enterprise; define processes for lifecycle."

In the definition of roles and responsibilities for certificates and keys, organizations should ensure that each certificate and key has one or more owners and approvers (overseers who must approve issuance and revocation operations) to ensure sound management. It is important that the approvers have local knowledge for the certificate, meaning that they are familiar with the business context in which the certificate will be deployed and the individuals authorized to request and manage certificates. With TPP, this can be accomplished by leveraging by assigning workflow responsibility to groups or individuals with that local knowledge.

Was this article helpful?
2 out of 3 found this helpful


  • Avatar
    Troy Poff

    I can't follow what you are saying needs to happen to make this error go away.