Skip to main content
The approval workflow is CertForge’s governance layer. When enabled on a Domain Trust Profile, every certificate request is queued for human review before any certificate is issued.

Enable approval on a DTP

  1. Go to Admin → Domain Trust Profiles
  2. Edit the profile
  3. Toggle Require approval on
  4. Save
From this point, all new certificate requests under this profile enter a pending queue.

The approval queue

Approvals in the navigation shows all pending, approved, and rejected requests. Each request shows a pipeline step visualization — a horizontal progress indicator that shows which stage the request is at: Submitted → Pending → Approved/Rejected → Certificate Issued. Escalated requests show an escalation badge next to the status.

Taking action

Click Approve to issue the certificate, or Reject to decline. When rejecting, provide a reason — it is shown to the requester and recorded permanently in the audit trail. If Mandatory approval reason is enabled on the DTP (or by the active compliance framework), you must select a reason from the dropdown before the form can be submitted.

AI risk assessment

When the AI engine is enabled by your platform administrator, each incoming request is scored automatically. The score (low / medium / high) and the reasoning behind it appear on the request detail panel. The AI score does not block approval — it is advisory information to help approvers prioritize the queue. To enable the AI engine, contact your platform administrator or see the AI Setup guide.

Predefined approval reasons

Approval reasons give the approval and request workflows a controlled vocabulary. They are configured in Admin → Approval Reasons. There are two reason types:

Configuring reasons

  1. Go to Admin → Approval Reasons → Add reason
  2. Set:
    • Label — text shown in the dropdown, e.g. Security incident response
    • Typeapproval or requested
    • Sort order — integer controlling display order; lower values appear first
    • Active — inactive reasons are hidden from dropdowns but are not deleted
To retire a reason without losing historical records, set it to inactive rather than deleting it. The reason text is stored immutably in each decision record.

Enabling mandatory approval reason

The requirement to select a reason can be enforced in two ways:
  • Per DTP: Edit the DTP → Access Control section → enable Mandatory approval reason. Applies only to requests matched to that DTP.
  • Via compliance framework: Go to the Compliance page and assign a framework (SOC 2, ISO 27001, PCI-DSS, or HIPAA). All four frameworks set mandatory approval reason for every DTP in the org.
When mandatory reason is active and no configured reasons of the appropriate type exist, a free-text field is shown instead of a dropdown.

Who can approve

Justification requirement

When Require request justification is enabled on a DTP, the requester must enter a justification when submitting the request. This is stored permanently in the audit trail and is visible to all approvers.

Audit chain

Every approval action (submit, approve, reject, void) is written to an append-only hash-chained ledger. The chain is verified on every startup. Tampering with any past record breaks the chain and prevents CertForge from starting — making the approval history tamper-evident.

Notifications

When notification channels are configured, approvers are notified of new pending requests and requesters receive outcomes. Configure channels in Admin → Settings → Notifications. See Notifications →.

Void

An admin can Void a pending request — this closes it without issuing a certificate. Use void when a request was submitted in error or is no longer needed. Voiding is logged with actor and reason.

Bulk approval

Multiple pending requests can be approved or rejected at once from Approvals → Select All → Approve Selected.

Automated submission via API

Systems can submit approval requests programmatically via the mTLS enrollment API:
Response:
Poll the status or rely on the notification. The certificate is available for download once approved.