Approval Workflow
The approval workflow is CertForge’s governance layer. When a Domain Trust Profile requires approval, every certificate request is queued for human review before any certificate is issued. No certificate reaches a CA without sign-off.Why approval matters
Without a governance layer, any authorized device or script can request and receive a certificate immediately. The approval workflow ensures that:- A human reviews what domain is being requested and why
- The requester’s justification is recorded in the audit trail
- Mistakes (wrong domain, wrong CA, wrong environment) are caught before issuance
- Compliance requirements for change management are met
Request lifecycle
What approvers see
The Approvals page shows pending, approved, and rejected requests. Each request includes a pipeline step visualization showing where the request is in its lifecycle.| Field | Description |
|---|---|
| Request ID | Unique identifier for the approval chain |
| Requested by | Username / email of the requester |
| Domains | The certificate’s subject alternative names |
| Trust Profile | Which DTP matched |
| Environment | Production, staging, dev, etc. |
| Justification | Text the requester provided |
| Requested at | Timestamp |
| AI risk score | Risk level assessed by the AI engine (if enabled) |
| Status | Pending / Approved / Rejected |
AI risk assessment
When the AI engine is enabled by the platform administrator, CertForge scores each incoming approval request and displays a risk level (low, medium, high) along with reasoning. Risk factors include the domain name pattern, requested environment, requester history, and CA type. The AI score is advisory — approvers can approve or reject regardless of the score. The score and reasoning are stored permanently in the audit trail.Predefined approval reasons
Approval reasons provide a controlled vocabulary for approval and rejection decisions. There are two reason types:| Type | When used |
|---|---|
approval | Selected by the approver when approving or rejecting a request |
requested | Selected by the requester when submitting a request |
Comments
Approvers can leave a comment on any request. Comments are visible to other approvers and to the requester once the decision is made. Comments are stored permanently in the audit trail.Mandatory reason enforcement
The mandatory approval reason requirement can be enforced in two ways:- Per DTP: Enable Mandatory approval reason in the DTP’s Access Control settings. Applies only to requests matched to that DTP.
- Via compliance framework: Assign a compliance framework (SOC 2, ISO 27001, PCI-DSS, HIPAA) at the org level. All four frameworks enforce mandatory approval reasons across all DTPs.
Escalation
When a request remains pending past the configured thresholds, CertForge notifies escalation contacts and shows an escalation badge on the request in the Approvals page. Escalation thresholds and contacts are configured per DTP.Justification
When Require request justification is enabled on a DTP, the requester must provide a plain-text justification when submitting the request. The justification is stored permanently in the audit trail and is visible to all approvers.Who can approve
Any user with the following roles can approve requests:- Org admin — can approve any request in the org
- Org operator — can approve requests for DTPs they have admin-level DTP access on
Audit chain integrity
Every approval action (submit, approve, reject, void) is written to an append-only ledger with a cryptographic hash chain. Each record includes the hash of the previous record. This makes the audit trail tamper-evident — any modification to a past record breaks the chain, which is detected on startup and on-demand. You can verify the chain integrity at Compliance → Audit Chain.Void
An admin can void a pending request — this closes it without issuing a certificate. Voiding is logged with the actor’s identity and reason.Notifications
When notification channels are configured, approvers receive notifications on new pending requests and requesters receive notifications on approval outcomes. Configure channels (Webhook, Slack, Microsoft Teams, Webex) in Admin → Settings → Notifications.API-driven requests
Automated systems can submit requests via the mTLS API:approval_id. The system can poll /approvals/{id} for status, or rely on the certificate being written to a known path once approved.