Requiring Approval for Certificate Requests¶
ACM provides the ability to require that certificate requests are approved prior to being issued by the system. This approval step only affects certificates requested by those holding the “Requestor” role. Account and Organization Admins have rights to approve certificate requests- because of this, any certificate request made by one of these roles will automatically be approved.
The “requires approval” option is controlled in the certificate policy definition. Any certificate policy can be configured to require approval prior to issuance.
Warning
Policies that will be primarily accessed via API calls should NOT have the “requires approval” option set. This setting will prevent the API from being able to retrieve the cert without manual intervention.
To get the “requires approval” option added to a policy, or a new policy created with this option, please contact Support at acmsupport@hydrantid.com.
Adding notifications for Approvers and Requestors¶
ACM supports a Simple Notification Service (SNS) for providing subscription-based alerts. Both the Requestor and any Account or Organization Admins that will approve certificate requests must subscribe to the appropriate notification for their role. You can access the Edit Subscriptions screen by going to your User Profile.
Note
For Account or Organization Admins- add the “CERT_REQUEST_APPROVAL_REQUIRED” event. This will send a notification that there is a certificate request that needs approval to every Admin that has subscribed to this event.
Note
For Requestors- add the “CERT_REQUEST_APPROVED” and “CERT_REQUEST_REJECTED” events. This will ensure the Requestor is notified when their certificate request has been approved or rejected.
Requestor and Approver Walkthrough¶
This is what the process looks like once the above configurations have been completed for your Account.
Step One: Creating the Request¶
Log in with a Requestor role. Select your Organization and/or Certificate Policy. Enter your Certificate Signing Request (CSR) and click Parse CSR to process it.
If the policy is configured correctly for approvals, you’ll see the following message to the right of the Complete Certificate Request screen:
At the bottom of this screen you can add an optional comment. This information will be displayed to the Approver.
When ready, click the Request Certificate button. This will submit the CSR for processing and create a notification for the Approvers.
Step Two: Reviewing the Request¶
All Approvers that have subscribed to the “CERT_REQUEST_APPROVAL_REQUIRED” event will receive a notification via email.
The responding Approver will log in to ACM and go to the Requests Queue menu.
Click anywhere on the certificate request record to review the request.
You can reject the request with comments or approve the request. If the request is rejected, the Requestor can modify the existing request, or create a new certificate request and submit again for approval.
If approved, an event notification will be generated for the approval and sent to the Requestor.
If rejected, an event notification will be generated for the rejection and sent to the Requestor.
Step Three: Reviewing the Rejected or Approved Request¶
The Requestor can view rejected requests by clicking on the Requests Queue menu.
You can cancel the request by clicking the Cancel Certificate Request button. To edit the request, Click on the Edit Certificate Request button to make changes.
Once modified, the Requestor can re-submit the request for approval.
For approved requests, the record in the Request Queue screen will show as Issued.
The Requestor can retrieve the signed certificate directly from the Certificates menu.
