Workflow Definitions

The workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. builder in Keyfactor Command allows you to easily automate event-driven tasks when a certificate is requested or revoked. The workflows can be configured with multiple steps between the start and end of the operation that offer a simple way to configure notifications, approvals, and end-to-end automation throughout the environment. This provides for operational agility in an intuitive and easy-to-configure manner.

When a user begins one of the types of actions managed with workflow in Keyfactor Command—certificate enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., renewals or revocation—on the usual Management Portal page (e.g. PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. Enrollment) or using the Keyfactor APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., the workflow kicks in behind the scenes and executes however many steps have been configured in the workflow definition to bring the action to the appropriate conclusion along the desired path. In the current version of workflows, the following customizable workflow steps are supported:

In addition to these customizable types of steps, there are built-in steps that you won't see unless you're using the Keyfactor API to view or edit the workflows (see Workflow Definitions in the Keyfactor Web APIs Reference Guide). At the end of their respective workflow types there are an enroll step and a revoke step to initiate the actual enrollment or revocation if the workflow reaches the end without being denied or failing. These built-in steps cannot be modified or moved to a different location in the workflow. There are also NOOP steps that indicate the start and end of the workflow for housekeeping purposes.

There are two types of workflow definition:

  • Global

    The global workflow definitions are built into the product and cannot be deleted, though they can be modified to add workflow steps, if desired. Global workflow definitions do not have a specific associated key—in the case of the currently available workflows, this is a certificate template—and apply to all requests of the workflow's type (e.g. enrollment) that are not otherwise handled by a custom workflow specifying a key.

  • Custom

    Custom workflow definitions are any additional workflow definitions you define beyond the built-in ones. Custom workflows are associated with a specific key (certificate template) and each workflow only applies to requests made using that key.

Note:  All certificate enrollment, renewal, and revocation requests go through workflow even if you haven't created any workflow steps or added any custom workflow definitions. In the absence of customization, the global workflow definitions are used.

Figure 147: Workflow Definitions

When requiring approval using workflow definitions in Keyfactor Command, templates do not need to be configured to require manager approval at the CA level in the certificate template. This is because the approval handling is fully controlled within Keyfactor Command. In fact, templates generally should not be configured to require CA manager approval when using Keyfactor Command workflow, since this would generally require approval both at the Keyfactor Command level and at the CA level.

Tip:  Click the help icon () next to the Workflow Definitions page title to open the embedded web copy of the Keyfactor Command Reference Guide to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.