Certificate Signing Request Approvals¶
Overview¶
Certificate Signing Request (CSR) approvals provide the controlled authorization step for certificate issuance. When a client — or another flow inside the platform, such as the Sub CA creation wizard — submits a CSR against an Issue Certificate operation whose approval rule requires it, the request is held in ApprovalRequired state until an authorized user makes a decision.
The Certificate Signing Request Approvals page lists all CSRs awaiting a decision and lets an approver inspect the request and the parsed CSR before approving or rejecting it.
Reviewing Requests¶
The approvals list shows pending CSRs in a paginated table. Select a request to review its details before making a decision.
Request Summary¶
| Column | Description |
|---|---|
| ID | The unique identifier of the certificate request |
| Subject DN | The Subject Distinguished Name from the CSR |
| Description | The description supplied by the submitter |
Request Details¶
Expand a request row to see the full details. The expanded panel is split into three sections:
Certificate Request Information¶
| Field | Description |
|---|---|
| ID | The unique identifier for tracking |
| Description | Free-form text from the submitter |
| Subject DN | Subject Distinguished Name supplied in the request |
Issuing CA Information¶
| Field | Description |
|---|---|
| CA ID | Identifier of the CA that will issue the certificate if the request is approved |
| Issuer DN | Distinguished Name of the issuing CA |
| Use Case | Use-case slot the issuing CA occupies in the product |
CSR¶
The platform parses the PEM-encoded CSR and reports the following fields:
| Field | Description |
|---|---|
| CSR Subject | Subject parsed from the CSR itself (compare against Subject DN above) |
| Public Key Algorithm | RSA or EC |
| Key Size | Bit length for RSA, curve name for EC |
| Signature Algorithm | Algorithm used to sign the CSR (e.g., SHA256withRSA, ECDSA-with-SHA256) |
Approval Actions¶
After selecting a request and reviewing its details, you can take one of two actions:
| Action | Effect | Description |
|---|---|---|
| Approve | Authorizes the certificate issuance | The issuing CA signs the CSR and the resulting certificate is delivered back to the submitter. |
| Reject | Denies the request | The issuing CA does not sign the CSR. The submitter must create a new request to retry. |
Making a Decision¶
- Select a pending request from the list.
- Expand the row and review the request, issuing CA, CSR, and requested extensions.
- Click Approve or Reject.
- Confirm your decision in the confirmation dialog.
- The list refreshes automatically after the action is processed.
Approval groups
Only users belonging to the Approval Groups configured on the operation's approval rule can approve or reject a request. If you can see the request but the Approve / Reject buttons stay disabled, verify that you are in the correct security group with your administrator. See Approval Rules for how the rule is configured at CA creation time.
Blanket-group submissions never appear here
Requests submitted by members of a Blanket Group on the operation are auto-approved at submission time and never enter the pending list. They are still recorded in the Audit Trails.
Troubleshooting¶
| Issue | Possible Cause | Resolution |
|---|---|---|
| No pending requests visible | There are no pending CSRs, or you lack the required approval group membership | Verify your security group assignments with your administrator |
| Approve/Reject buttons are disabled | No request is selected | Click on a request row to select it before taking action |
| Approval action fails with a conflict | The request may already have been processed by another approver | Refresh the list; the request may no longer be pending |