Requiring Approval for Certificate Requests =========================================== ACM provides the ability to require that certificate requests are approved prior to being issued by the system. This approval step only affects certificates requested by those holding the "Requestor" role. Account and Organization Admins have rights to approve certificate requests- because of this, any certificate request made by one of these roles will automatically be approved. .. image:: ACMScreenshots/Approval-Required-Policy.png The "requires approval" option is controlled in the certificate policy definition. Any certificate policy can be configured to require approval prior to issuance. .. warning:: Policies that will be primarily accessed via API calls should NOT have the "requires approval" option set. This setting will prevent the API from being able to retrieve the cert without manual intervention. To get the "requires approval" option added to a policy, or a new policy created with this option, please contact Support at acmsupport@hydrantid.com. Adding notifications for Approvers and Requestors -------------------------------------------------- ACM supports a Simple Notification Service (SNS) for providing subscription-based alerts. Both the Requestor and any Account or Organization Admins that will approve certificate requests must subscribe to the appropriate notification for their role. You can access the Edit Subscriptions screen by going to your User Profile. .. image:: ACMScreenshots/Log-Subscriptions.png .. note:: For Account or Organization Admins- add the "CERT_REQUEST_APPROVAL_REQUIRED" event. This will send a notification that there is a certificate request that needs approval to every Admin that has subscribed to this event. .. image:: ACMScreenshots/Approver-Event.png .. note:: For Requestors- add the "CERT_REQUEST_APPROVED" and "CERT_REQUEST_REJECTED" events. This will ensure the Requestor is notified when their certificate request has been approved or rejected. .. image:: ACMScreenshots/Requestor-Events.png Requestor and Approver Walkthrough =================================== This is what the process looks like once the above configurations have been completed for your Account. Step One: Creating the Request ------------------------------- Log in with a Requestor role. Select your Organization and/or Certificate Policy. Enter your Certificate Signing Request (CSR) and click Parse CSR to process it. .. image:: ACMScreenshots/Approval-Required-Policy.png If the policy is configured correctly for approvals, you'll see the following message to the right of the Complete Certificate Request screen: .. image:: ACMScreenshots/Approval-Required-Notice.png At the bottom of this screen you can add an optional comment. This information will be displayed to the Approver. .. image:: ACMScreenshots/Approval-Required-Comment.png When ready, click the Request Certificate button. This will submit the CSR for processing and create a notification for the Approvers. Step Two: Reviewing the Request ----------------------------------------------- All Approvers that have subscribed to the "CERT_REQUEST_APPROVAL_REQUIRED" event will receive a notification via email. .. image:: ACMScreenshots/Approval-Required-Email.png The responding Approver will log in to ACM and go to the Requests Queue menu. .. image:: ACMScreenshots/Requests-Queue.png Click anywhere on the certificate request record to review the request. .. image:: ACMScreenshots/Requests-Details.png You can reject the request with comments or approve the request. If the request is rejected, the Requestor can modify the existing request, or create a new certificate request and submit again for approval. .. image:: ACMScreenshots/Request-Options.png If approved, an event notification will be generated for the approval and sent to the Requestor. .. image:: ACMScreenshots/Cert-Approval-Event.png If rejected, an event notification will be generated for the rejection and sent to the Requestor. .. image:: ACMScreenshots/Cert-Rejection-Event.png Step Three: Reviewing the Rejected or Approved Request ------------------------------------------------------- The Requestor can view rejected requests by clicking on the Requests Queue menu. .. image:: ACMScreenshots/Requests-Queue-Rejected.png You can cancel the request by clicking the Cancel Certificate Request button. To edit the request, Click on the Edit Certificate Request button to make changes. .. image:: ACMScreenshots/Requests-Queue-Edit.png Once modified, the Requestor can re-submit the request for approval. For approved requests, the record in the Request Queue screen will show as Issued. .. image:: ACMScreenshots/Requests-Queue-Issued.png The Requestor can retrieve the signed certificate directly from the Certificates menu. .. image:: ACMScreenshots/Approved-Cert-Download.png