Compliance
CertForge includes built-in compliance tooling: framework assignment that enforces policy requirements automatically, an AI engine that scores approval requests for risk, and a hash-chained audit trail that can be cryptographically verified.Compliance frameworks
A compliance framework can be assigned to an org or to individual Domain Trust Profiles. When active, the framework enforces its policy requirements without manual configuration of each DTP.Supported frameworks
Assigning a framework
Go to Compliance in the navigation. The Policy Assignments tab shows all available frameworks as a table with a dropdown on each row. Select a framework from the dropdown and save — requirements apply immediately to all new approval decisions in the org.Frameworks are plan-gated. On the Free plan, some frameworks are visible but locked — they appear with a lock indicator in the dropdown and cannot be assigned until you upgrade. Click View plans in the Compliance page to see what’s available on your plan.
What frameworks enforce
Whenmandatory_approval_reason is set by the active framework:
- Every approval and rejection decision requires the approver to select a predefined reason from the dropdown before submitting
- If no predefined reasons are configured, a free-text field is required instead
- Certificate requests for longer validity are capped at the framework’s maximum
- Applies to internal CA certificates only; ACME CAs always cap at 90 days
AI risk assessment
When the AI engine is enabled by the platform administrator, each incoming approval request is scored automatically before approvers review it. The AI engine evaluates:- The requested domain name pattern (sensitivity, public vs. internal)
- The requested environment (production carries higher weight)
- The requesting entity’s history (prior approvals, rejections, patterns)
- The CA type and DTP settings
approval.ai_risk event.
The AI score is advisory. Approvers can approve or reject regardless of the score.
To enable AI risk assessment, contact your platform administrator. Enabling requires an AI provider API key to be configured at the platform level.