Set up the routing policy for automated certificate management

  • Release version: Washingtondc
  • Updated May 21, 2025
  • 2 minutes to read

    • Set up a routing policy to establish automated certificate management in Certificate Inventory and Management. This involves creating a policy based on factors such as Certificate Authority (CA), environment, and other features, ensuring efficient TLS certificate management.

    Before you begin

    Role required: pki_admin or admin

    About this task

    Duplicate certificate requests are not allowed. However, you can override this setting by checking the Allow duplicate requests check box. A certificate request is considered a duplicate if there is another certificate task with the same domain name that is still in progress. Approvals are only supported in the Fulfiller approval experience at this time.

    The routing policy decides which CA must be contacted for certificate operations. It contains the CA, CA URL, Credential, Approval Group, Assignment Group, and CSR attributes. The routing policy triggers the flow for requesting certificates for specific CAs.

    Procedure

    1. Navigate to All > Certificate Management > Certificate Routing Policies.
    2. Select New and fill in the required fields on the form.
      While requests for new certificates and certificate renewal can be automated, many PKI teams prefer human validation before fulfillment. If so, select the Approval required check box.
      Note:
      Organization, Organizational Unit, Locality, State, Country, and Email accept comma-separated values. * will be considered as any. Subject common name and Subject alternative name are supported with RegEx. The RegEx format has the following restrictions:
      • It should not contain commas.
      • It should not start and end with a forward slash (/). * matches any domain.
    3. The following CSR attributes are matched with the entries in the Routing Policy [sn_disco_certmgmt_routing_policy] table:
      • Organization
      • Organizational Unit
      • Locality
      • State
      • Country
      • Email
      • Environment
      • Certificate Purpose(internal/external)
      • Subject common name
      • Subject alternative name
      Note:
      For Entrust CA Gateway, there are also these fields: Certificate Authority Identifier, Certificate Profile, and Certificate Format. For Microsoft CA also use these fields: Certificate Authority, CA template name, CA Host IP, Credential, and CSR attributes. For DigiCert, the routing policy also requires a Certificate Authority API URL field to handle automated processes and revocation flows.
    4. The following options may occur.
      OptionDescription
      If a single routing policy matches Verify the following conditions:
      • Validate the subject common name using the RegEx pattern provided in the Routing Policy table, domain name, or *.
      • Check for certificate request validity period not greater than the maximum validity period in the Routing Policy table.
      • Check for duplicate Certificate Request is allowed flag in the Routing Policy table.
      If multiple routing policies are eligible The task is assigned to the default approver group.
      If there is no routing policy found The task is assigned to the default approver group.
      If single policy matches and approval needed flag is true The task is assigned to the task approval group defined in the routing policy.

    Result

    The approval group is assigned to the routing policy and contains the role: pki_approver and at least one of the active group members available in that group. If the routing policy requires manual approval, then approval is requested from those in the approval group.