Creating a certificate workflow

Workflow objects define the parameters required to implement a workflow approval or inject a local command at a specific stage of the certificate lifecycle.

You must have the Create permission to the policy where you want to create the workflow.

To create a Workflow object

  1. From the Platform menu bar, click Policy Tree.
  2. Select the policy for which you want to create the workflow.

  3. Click Add > Workflow.

    The Detail View displays the Workflow's associated settings.

  4. In the Name field, enter a friendly name.

  5. In the Conditions box, enter the qualifying conditions.

    Setting

    Description

    If Stage Is

    Enter the condition stage when the workflow event should be triggered. Stages are listed below.

    If Application or Trust Store is

    Will only trigger the approval if the certificate is installed on the Application or Trust Store selected from the list. If selected, this condition is in addition to the Stage Code. (That is to say there is an implied AND operation between the conditions.)

    Certificate Stage Codes

    Workflow Stage codes

    Stage Code

    Friendly Name

    Description

    0

    StartProcessing

    Prepares the certificate for lifecycle processing.

    100

    CheckStore

    Applies only to remote generations.

    If the private key and CSR are generated remotely, Trust Protection Platform compares the keystore or Directory configuration parameters specified in the Application object with the actual configuration on the application.

    200

    CreateConfigureStore

    Applies only to remote generations.

    If the certificate keystore does not exist, Trust Protection Platform creates the keystore as per the configuration parameters defined in the Application object.

    300

    CreateKey

    Creates the private key.

    DID YOU KNOW?  Stage 300 is used for key generation only when the API of a target device separates keypair and CSR generation. When they're combined, both key and CSR generation are always done at stage 400.

    400

    CreateCSR

    Creates the Certificate Signing Request (CSR). If Service Generated CSR is enabled and the certificate is associated with multiple applications, the CSR will be centrally generated so Trust Protection Platform can push the private key to multiple applications.

    500

    PostCSR

    Submits the CSR to the Certificate Authority (CA).

    If you post a manual CSR, this is the first stage of the certificate lifecycle.

    600

    ApproveRequest

    Approves the certificate renewal at the CA.

    700

    RetrieveCertificate

    Retrieves the certificate from the CA.

    800

    InstallCertificate

    Installs the certificate on the target application. This provisioning happens in several stages, such as 801, 802, etc. All stages between 800-899 are provisioning stages.

    900

    CheckConfiguration

    Reserved for future use. You cannot apply this stage to a workflow.

    1000

    ConfigureApplication

    Reserved for future use. You cannot apply a stage to this workflow.

    1100

    RestartApplication

    Used for command injection workflow that must be executed after a certificate has been successfully provisioned.

    1200

    EndProcessing

    Completes the certificate processing and, if configured, runs a Validation check on the certificate and application.

    1400

    Revocation

    Submits a revocation request to the CA.

    Certificate revocation is a certificate operation; it does not involve the application driver.

    1500

    UpdateTrustStore

     

    Updates the Trust Store at the host to comply with the effective bundle. To learn more, see Viewing the Effective Bundle.

    1600

    EndTrustStoreProcessing

    Completes the processing of the Trust Store.

    NOTE  If there are multiple approvals set at the same stage, all approvals will trigger at the same time, and all approvals must be resolved before the workflow can continue. In Aperture, if a user is an approver for multiple workflow tickets at the same stage, approving or rejecting any of the workflow tickets will have the same effect on all workflow tickets assigned to the same object and stage.

  6. In the Actions box, enter the appropriate actions.

    Setting

    Description

    Inject Commands

    Under the designated conditions, Trust Protection Platform executes the defined commands on the certificate’s consumer application.

    Trust Protection Platform is able to run local SSH commands against the following applications:

    • Apache
    • F5 LTM Advanced
    • IBM GSK
    • Imperva MX
    • JKS
    • Layer 7 SSG
    • Oracle iPlanet
    • PEM
    • PKCS#12
    • Tealeaf PCA

    Trust Protection Platform is able to run PowerShell commands over WinRM for the CAPI application.

    After Trust Protection Platform executes the command, the application driver logs an Inject Command Success or Inject Command Failure event so you can determine if the command successfully executed on the target application. The Inject Command Success event returns a value of zero (0) in the event’s Value2 field. An Inject Command Failure event returns a non-zero numeric value in the Value2 field. To provide automatic notification for Inject Command Failure events, you can create a Notification Rule that triggers on a value greater than zero in the event’s Value2 field.

    For more information, see Creating notification rules.

    Request Approval

    Check the box to request approval when this workflow condition is triggered.

    Request Approval From

    Select the source of the approver.

    • Approver assigned to the object. For certificates, this is defined by the certificate settings in the Policy Tree.

    • Specified approver. Hard-code the approvers to be used. Activates the Specified Approver(s) field where you must enter the identities used for the approval.

      If multiple approvers are added, all listed approvers must approve the workflow item before it will be approved. If any of the approvers rejects the workflow, the item will be rejected.

    • Specify approver via macro. Allows you to enter a macro to dynamically select the workflow approver when the workflow is triggered. For more information on the Trust Protection Platform macro language, see the Venafi Trust Protection Platform Macro Guide. Activates the Approver Macro field where you must enter the macro command.

    Approval Reason Code

    Enter the Reason Code you want to include with the notification that is sent to the workflow approver. The maximum Approval Reason Code value is 999.

    IMPORTANT  This option is required if you select Request Approval From.

    Approval Reason Codes also accompany customized explanations or instructions for workflow approvers. The drop-down list displays the Reason Codes defined in the Workflow tree. For more information, see Defining reason codes for certificate approvals.

  7. Click Save.

IMPORTANT  When you define a Workflow object that requires approval, you must also select an Approval Reason Code to provide explanations or instructions for the workflow approvers. To learn more, see Defining reason codes for certificate approvals.

For a detailed description of the object settings, see Workflow object settings.