Hanzo
PlatformHanzo KMSPlatformPKIGuides

Set Up Certificate Approvals

Step-by-step guide to configuring certificate approval workflows.

This guide walks through setting up approval workflows for certificate issuance. Approval workflows add a human review step before certificates are issued, helping enforce separation of duties and meet compliance requirements.

Diagram

The following sequence diagram illustrates the certificate issuance workflow when an approval policy is configured.

sequenceDiagram
  autonumber
  participant Client as Client
  participant Infis as Hanzo KMS
  participant Approver as Approver(s)
  participant CA as CA (Internal or External)

  Client->>Infis: Request Certificate<br/>(Subject, SANs, Duration)

  Infis->>Infis: Validate Profile & Policy

  alt Approval Policy Found
    Infis-->>Client: Return Request ID<br/>(Status: PENDING_APPROVAL)

    Infis->>Approver: Notify Approvers

    loop For Each Approval Step
      Approver->>Infis: Review and Approve
      Infis->>Infis: Check if step complete
    end

    Infis->>Infis: All steps approved
  end

  Note over Infis, CA: Issuance Phase

  Infis->>CA: Submit Certificate Signing Request (CSR)
  CA-->>Infis: Return Signed Certificate<br/>(+ Chain)

  Infis-->>Client: Certificate Available<br/>(Poll ID or Webhook)

Guide

In the following steps, we set up an approval workflow for certificate issuance.

First, follow the guide to create a certificate authority to issue certificates from.

Next, create a certificate policy that defines permitted certificate attributes. See the guide to creating a certificate policy for detailed instructions.

Create a certificate profile that references your CA and certificate policy. See the guide to creating a certificate profile for detailed instructions.

Select an enrollment method (API, ACME, or EST) based on how certificates will be requested.

Navigate to your Certificate Management Project > Certificate Manager > Approvals > Policies and click Create Policy. See the guide to creating an approval policy for detailed instructions.

Configure the policy:

  1. Configuration Step:

    • Enter a descriptive policy name (e.g., production-cert-approval)
    • Optionally set a maximum request TTL (e.g., 7d for requests to expire after 7 days)
    • Select the certificate profile(s) that require approval
    • Optionally enable bypass for machine identities if automated workloads need to issue certificates without approval

  2. Approval Sequence Step:

    • Add one or more approval steps
    • For each step, select the users or groups who can approve
    • Set the required number of approvals per step
    • Enable notifications to alert approvers when their review is needed

  3. Review Step:

    • Review your configuration and click Create

Request a certificate using your chosen enrollment method:

  • API: Make a request to the Issue Certificate endpoint
  • ACME: Use an ACME client to request a certificate
  • EST: Use an EST client to enroll for a certificate

Since an approval policy is configured, the request will be placed in a PENDING_APPROVAL status.

Sample API Request

curl --location --request POST 'https://app.kms.hanzo.ai/api/v1/cert-manager/certificates' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "profileId": "<profile-id>",
      "attributes": {
        "commonName": "example.com",
        "altNames": [
          { "type": "DNS", "value": "www.example.com" }
        ],
        "ttl": "365d"
      }
  }'

Sample Response (Pending Approval)

{
  "status": "PENDING_APPROVAL",
  "certificateRequestId": "<request-id>",
  "message": "Certificate request requires approval",
  "projectId": "<project-id>"
}

Navigate to your Certificate Management Project > Certificate Manager > Approvals > Requests.

  1. Find the pending request in the list
  2. Click on it to view the details
  3. Review the certificate request information:
    • Requester identity
    • Common name and SANs
    • Key usages and validity period
  4. Click Approve to approve the request (or Reject to deny it)

If the policy has multiple approval steps, the request advances to the next step after each approval.

Once all approval steps are complete, the certificate is automatically issued.

After approval, retrieve the certificate using the certificate request ID or by fetching the latest certificate from the profile:

Get Certificate by Request ID

curl --location --request GET 'https://app.kms.hanzo.ai/api/v3/cert-manager/certificate-requests/<request-id>' \
  --header 'Authorization: Bearer <access-token>'

How is this guide?

Last updated on

Network

Learn how to configure a Network discovery job to find certificates across your infrastructure.

Request a Certificate via API

On this page

Diagram
Guide
Sample API Request
Sample Response (Pending Approval)
Get Certificate by Request ID