Workflows Assigned to Me Operations

Only workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. instances that are in a Suspended state and that the current user has permissions to submit signals for (e.g. approve or deny) appear on the Assigned to Me tab of the My Workflows page. Once the user submits a signal to a workflow instance on this page, it is removed from the page.

Note:  If a workflow instance is initiated for a workflow definition that has more than one step requiring input (signals), a user can only provide that input (e.g. approve or deny a require approval request) at the step in the workflow instance where the workflow instance was suspended pending input. The user cannot jump ahead and provide input for future steps in the workflow that have not yet occurred.
Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:

/workflows/instances/read/mine/
Or: /workflows/instances/read/

To review a workflow instance and potentially submit a signal for it:

  1. In the Management Portal, browse to Workflow > My Workflows.
  2. On the Assigned to Me tab of the My Workflows page, double-click or click Review from either the top or right click menu.

  3. On the Workflow Signal Review page, review the information in the instance before submitting a signal for the request. Information on the review page includes:

    Name Description
    Id

    A GUID indicating the Keyfactor Command reference ID for the instance.
    Title

    A description for the action taking place in the step. For example:

    "KEYEXAMPLE\jsmith is enrolling for a certificate with CN=appsrvr12.keyexample.com."

    Or:

    "KEYEXAMPLE\mjones is revoking certificate with CN=appsrvr14.keyexample.com."
    Status

    The current status message of the workflow instance.

    For a workflow suspended and awaiting approval, the status message might be:
    Current Step

    The display name defined for the workflow instance step at which the instance has paused. For a suspended workflow, this will be the custom step that is awaiting user input to continue the workflow.

    Figure 243: Workflow Instance Review

    The data included in this section will vary depending on the request type and the configuration of the workflow.

    Name Description
    Subject

    The distinguished name of the certificate.
    CSR:Raw

    The unparsed version of the certificate signing request generated for the certificate request.
    CSR: Parsed

    The parsed version of the certificate signing request generated for the certificate request. The CSR may include:

    • Key Length

      The desired key size for the certificate.

    • Key Type

      The desired key encryption for the certificate.

    • C

      The country (two characters) of the certificate.

    • ST

      The state or province of the certificate.

    • L

      The city or locality of the certificate.

    • OU

      The organizational unit of the certificate.

    • O

      The organization of the certificate.

    • E

      The email address of the certificate.

    • CN

      The common name of the certificate.

    • DNS Name

      A SAN value containing a DNS name.

    • IP Address

      A SAN value containing an IP v4 or IP v6 address.

    • RFC822 Name

      A SAN value containing an email address.

    • Other name:Principal

      A SAN value containing a user principal name (UPN).

    Additional Attributes

    		 Values for any custom enrollment fields set on the certificate template to supply custom request attributes to the CA during the enrollment process.
    Certificate Authority The certificate authority that will be used to enroll against in hostname\logical name format.

    Custom Name

    A custom friendly name for the certificate, if entered at enrollment.
    Format

    The desired output format for the certificate. A value of STORE indicates that the certificate is intended to be delivered into one or more certificate stores.

    Include Chain

    A flag indicating whether to include the certificate chain in the enrollment response (true) or not (false).

    Initiating User Name

    The name of the user who initiated the workflow in DOMAIN\username format.

    Is PFX

    A flag indicating whether the certificate enrollment type that initiated the workflow instance was PFX (true) or CSR (false).

    Key Retention

    A flag indicating whether the private key for the certificate resulting from the enrollment will be retained in Keyfactor Command (true) or not (false).

    Management Job Time

    The schedule for the management job to add the certificate to any certificate store(s).

    Metadata

    		 Values for the metadata fields that will be associated with the certificate once it is in Keyfactor Command.

    PFX Password Secret Instance Id

    The Keyfactor Command reference ID for the PFX password used to secure the PFX file on download.

    Renewal Certificate

    Certificate Id - The Keyfactor Command reference ID of the certificate this certificate replaces on a renewal.

    Renewal Certificate Data: Raw

    The certificate that this certificate replaces on a renewal as returned by the CA in base-64 encoded binary format.

    Renewal Certificate Data: Parsed

    The certificate details for the certificate that this certificate replaces on a renewal, including:

    • Issued DN

      The distinguished name of the certificate.

    • Issuer DN

      The distinguished name of the issuer.

    • Thumbprint

      The thumbprint of the certificate.

    • Not After

      The date, in UTC, on which the certificate expires.

    • Not Before

      The date, in UTC, on which the certificate was issued by the certificate authority.

    • Metadata

      The metadata fields populated for the certificate.

    SANs: Type

    The subject alternate names defined for the certificate. Possible types that can be entered within Keyfactor Command are DNS Name, IPv4 Address, IPv6 Address, User Principal Name, and Email. Within each type is a list of entries for that type shown with a key name of the entry number and the actual value. For example, if you had two DNS SANs, the DNS Name section would look something like:

    Entry 1: myfirstsan.keyexample.com
Entry 2: mysecondsan.keyexample.com
    Stores

    The certificate stores to which the certificate should be distributed, if applicable.
    Template

    The template that was used when requesting the certificate.

    (Custom)

    Optional user-generated custom fields returning response data from PowerShell scripts or REST requests. These will be sorted alphabetically in among the other fields on the page.

    For a revocation, this section may include:

    Name Description
    Certificate Authority

    The certificate authority that issued the certificate.

    Certificate Id

    		 The Keyfactor Command reference ID for the certificate being revoked.

    Comment

    A freeform reason or comment to explain why the certificate is being revoked.
    Delegate

    A flag indicating whether delegation was enabled for the certificate authority that issued the certificate at the time revocation was requested (true) or not (false). For more information, see Delegation Section.

    Effective Date

    The date and time when the certificate will be revoked.

    Initiating User Name

    		 The name of the user who initiated the workflow in DOMAIN\\username format.

    Operation Start

    The time at which the revocation workflow was initiated.
    RevokeCode

    The specific reason that the certificate is being revoked. Possible values are:

    • -1—Remove from Hold
    • 0—Unspecified

    • 1—Key Compromised

    • 2—CA Compromised

    • 3—Affiliation Changed

    • 4—Superseded

    • 5—Cessation of Operation

    • 6—Certificate Hold

    • 7—Remove from CRL. Only valid in the case that a cert is already on a CRL in a manner that it can be removed, such as Certificate Hold.

    Serial Number

    The serial number of the certificate being revoked.
    Thumbprint

    The thumbprint of the certificate being revoked.

    (Custom)

    Optional user-generated custom fields returning response data from PowerShell scripts or REST requests. These will be sorted alphabetically in among the other fields on the page.

    For a certificate that entered or left a certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports)., this section generally includes:

    Name Description

    Certificate Id

    The Keyfactor Command reference ID for the certificate added to or removed from the certificate collection.

    Initiating User Name

    The name of the user who initiated the workflow—generally Timer Service in this case.

    Signal Input

    In the Signal Input section of the page, you can submit one or more signals for the step. For the built-in require approval workflow step type, this is where you send an approval or denial for the request along with a comment about the approval or denial.

    Figure 244: Approve or Deny a Workflow Instance

    A custom workflow step requiring signal input may have more than one signal type to select from in the dropdown, may have input fields to submit data with the signal, and will likely have buttons with labels other than Deny or Approve.

  4. At the bottom of the Workflow Signal Review page in the Signal Input section, select an option in the Signal Type dropdown, enter any required signal data, and click an appropriate signal button to submit the signal. For the built-in require approval workflow step type, select ApprovalStatus in the dropdown (there is only one choice), enter an optional Comment (the maximum comment length is 500 characters), and click either Approve to add your approval to the workflow or Deny to deny the workflow instance.

    Tip:  If you reference the approve/deny comments using the $(approvalsignalcmnts) token, the included comments will vary depending on where you use the token. If you use the token in an email message within a require approval step, only comments from that require approval step will be included. If you use the token in a separate email step within the same workflow, all comments from any require approval steps within the workflow will be included.
    Important:  Comments entered when approving or denying a built-in require approval workflow step can be included in emails delivered either as part of the require approval step or in subsequent steps within the workflow, but they are not retained for future reference. If you would like to retain them for future reference, use a workflow step that copies the comment(s) to a metadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. field (see Use Custom PowerShell).
  5. On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.
Note:  The workflow definition may require more than one approval to be completed and so may not be immediately completed when you click Approve. However, a single denial is enough to reject the workflow instance.

An audit log entry is created when you provide input to a workflow instance (see Audit Log).