Creating a Policy for Certificate Re-Enrollment

To create a Re-Enroll Certificate policy:
  1. Go to (Menu) > Policy Engine > POLICY MANAGEMENT > Policies.
    The Policy Inventory page is displayed with all policies displayed for Kube, Certificate, and Device.
  2. Click (+ Create Policy).
    The Create Policy pop-up is displayed.
  3. In the Create Policy pop-up, from the Select the Policy Type dropdown, select Managed Certificate Policy.
    The fields for creating the device policy are displayed.
  4. Enter/Select values for configuring the policy as described in the table below.
    Field Description
    *Policy Name Enter a policy name that can include alphabets, numbers, and the special characters - (dash), _ (underscore).
    Description Enter a description for the policy.
    *Select a Tag Select an existing tag or type to create a new one. Tags group the related policies.
    Note: Selecting the appropriate policy type allows you to group policies logically, simplifying organization and management based on specific criteria.
    *: Mandatory field
  5. Click Configure Policy.
    The Create a Certificate Re-enrollment Policy in 7 Simple Steps pop-up is displayed with a short description of each step.
  6. Click Close on the pop-up.
    The first of the seven steps, Action is enabled.

Selecting Action

The Action step lets you select a specific action to trigger the policy.
  1. Enter/select the values as described in the table below.
    Field Description
    Select an Action Defines the policy for certificate enrollment.

    Select Enroll Certificate.
    *Display Name for Action Enter the action name that is to be displayed to users instead of the Policy name in Quick Actions. This field accepts alphanumeric values and special characters - (dash), _ (underscore), and space.

    Click the info icon to preview the Quick Actions.
    *: Mandatory field
  2. Click Next.
    The second step, the Issuance Template page is displayed.

Configuring Issuance Template

An issuance template is a customizable form that defines how certificate request fields are created and processed. It enables administrators to control the information collected during the certificate request process and how it is validated. Multiple templates can be added.
  1. Select the Re-Enrollment Master Template from the Inssuance Template panel on the right.
    The Certificate Parameter fields are displayed.
  2. Enter/Select values in the Certificate Parameter fields as described below.
    Note: Only the fields below will be updated in the certificate during re-enrollment.
    Field Description
    Organization Enter the legal name of the organization requesting the certificate re-enrollment.
    Organization Unit Enter the department or division within the organization
    Locality Enter the city or locality where the organization is registered or operates.
    Street Address Enter the street name and number associated with the organization’s registered location.
    State Enter the state or province of the organization’s address.
    Country Enter the two-letter ISO country code (e.g., US, IN) representing the organization’s location.
    Postal Code Enter the postal or ZIP code corresponding to the organization’s address.
    Email Address The contact email address associated with the certificate request, typically used for validation or notifications.
    * Key Type Select the cryptographic algorithm used to generate the private and public key pair (For example: RSA, ECDSA).
    * Hash Function Select the hashing algorithm to be used during CSR generation (For example: SHA-256, SHA-384)
    * Validity Unit Select the unit of time used to specify the certificate’s validity period (Days, Months, Years).
    * Validity in Days This field is displayed if the Validity Unit = Days. Enter the number in the field and then hit the Enter key for the value to be selected.
    * Validity in Months This field is displayed if the Validity Unit = Months. Enter the number in the field and then hit the Enter key for the value to be selected.
    * Validity in Years This field is displayed if the Validity Unit = Years. Enter the number in the field and then hit the Enter key for the value to be selected.
    Note:
    • While entering values for multi-select fields, it is mandatory to make any one of the values as default, by clicking the Select & Set Default button next to the value. See the image below.
    • Each field type text-box, multi-select, dropdown, checkbox and others can be customized by selecting the (settings) icon next to the field. See to the section Field Customizations for more details
  3. [Optional] Click button to include additional custom fields.
    The Add Custom Field pop-up is displayed.
  4. Enter/Select the values in the Add Custom Field pop-up as described in the table below.
    Field Description
    Include this Custom Field as a Certificate Attribute Enable or disable the toggle button to include or exclude the custom field as a certificate attribute.
    Store this field value in an encrypted format Enable or disable the toggle button to store the field value in an encrypted or non-encrypted format.
    *Field Name Provide a field name for the custom field in alphanumeric format.
    *Field Type Select a field type for the custom field. The available types are:
    • Label
    • Text Box
    • Text Area
    • Radio Button
    • Checkbox
    • Select Box
    • Multi-select Box
    Field Value Specify a default value for the field. The value can be modified according to the field type. For fields that accept multiple entries, use a comma-separated format.
    *: Mandatory field
  5. Click the Add button in the Add Custom Field pop-up to enable the value in the Vendor Template form.
    Note: After adding custom fields, a (Settings) icon will appear to customize the field type, and a (Delete) icon will be available to remove the field from the form.
  6. Click (Preview) to view the form information.
    Note: Users can copy predefined variables (e.g., ${user.firstName}, ${user.lastName}) from the option, next to Preview. Variables can be inserted into text content and at runtime, they are replaced with actual values.
  7. Click the Save Template dropdown next to the Issuance Template header, then select Save as New to create a new template and save this configuration as a reusable template for future use.
    The Save as Template pop-up is displayed.
  8. Enter the Template Name and enter a template Description. (Template names can include alphanumeric and the - (dash), _ (underscore), and space special characters.)
  9. Click Save on the pop-up.
    The Vendor template is saved successfully.
  10. [Optional] Add another template, if required. Click and follow the steps above.
  11. Click Next.
    The third step, the Approval page is displayed.

Field Customizations for Issuance Templates

  1. Label
    There is no customization for labels.
  2. Text Box - The customizations fields for Text Box are as follows:
    Field Description
    Hide Field Enable the toggle button to hide the field in the form.
    Read Only Enable the toggle button to make the field a read-only (non-editable) one.
    Set as mandatory Enable the toggle button to make the field mandatory.
    Label name Enter a name for the field that will appear on the form.
    Place holder Enter the temporary text displayed inside the text box before the user enters any value. It provides a hint or example of what the user should type in that field.
    Validation Select or enter the customRegEx. Validation defines the rules that the input must meet before it can be submitted.
    Help Tooltip Enter the informational message that appears when the user hovers over or clicks on the information icon next to the field.
    Note: If any one of the toggle buttons are enabled Hide Field, Read Only, or Set as mandatory, then the other two toggle buttons remain disabled.
  3. Text Area - The customizations fields for Text Area are as follows:
    Field Description
    Hide Field Enable the toggle button to hide the field in the form.
    Read Only Enable the toggle button to make the field a read-only (non-editable) one.
    Set as mandatory Enable the toggle button to make the field mandatory.
    Label name Enter a name for the field that will appear on the form.
    Help Tooltip Enter the informational message that appears when the user hovers over or clicks on the information icon next to the field.
  4. Radio Button - The customizations fields for Radio Button are as follows:
    Field Description
    Hide Field Enable the toggle button to hide the field in the form.
    Read Only Enable the toggle button to make the field a read-only (non-editable) one.
    Set as mandatory Enable the toggle button to make the field mandatory.
    Label name Enter a name for the field that will appear on the form.
    Help Tooltip Enter the informational message that appears when the user hovers over or clicks on the information icon next to the field.
  5. Checkbox - The customizations fields for Checkbox are as follows:
    Field Description
    Hide Field Enable the toggle button to hide the field in the form.
    Read Only Enable the toggle button to make the field a read-only (non-editable) one.
    Set as mandatory Enable the toggle button to make the field mandatory.
    Label name Enter a name for the field that will appear on the form.
    Help Tooltip Enter the informational message that appears when the user hovers over or clicks on the information icon next to the field.
  6. Select Box - The customizations fields for Select Box are as follows:
    Field Description
    Hide Field Enable the toggle button to hide the field in the form.
    Read Only Enable the toggle button to make the field a read-only (non-editable) one.
    Set as mandatory Enable the toggle button to make the field mandatory.
    Label name Enter a name for the field that will appear on the form.
    Help Tooltip Enter the informational message that appears when the user hovers over or clicks on the information icon next to the field.
  7. Multi-select Box - The customizations fields for Multi-select Box are as follows:
    Field Description
    Hide Field Enable the toggle button to hide the field in the form.
    Read Only Enable the toggle button to make the field a read-only (non-editable) one.
    Set as mandatory Enable the toggle button to make the field mandatory.
    Label name Enter a name for the field that will appear on the form.
    Help Tooltip Enter the informational message that appears when the user hovers over or clicks on the information icon next to the field.

Setting Approval

The Approval step allows you to manage the approval workflow before onboarding execution. You can choose to enable auto-approval or define approval levels, which can be configured as explained below.

Auto-Approval

  1. Enable the Auto Approve (Skip Approval) toggle button.
  2. Click Next.
    The fourth step, Pre Issuance Task page is displayed.

Adding New Approval Level

  1. Click + Add New Approval Level
    The Configure Approval pop-up is displayed with the Approval Settings tab (selected by default) and the Email Template tab.
  2. From the Approval Settings tab, configure the Approval Settings based on the Approval Type radio button selection as described below.
    1. If the Approval Type = User Group, enter/select the fields in the table below.
      Field Description
      *Select User Group Select the User group(s) from the multi-select dropdown.
      *: Mandatory field
    2. If the Approval Type = User, enter/select the fields in the table below.
      Field Description
      *Select User Select the User(s) from the multi-select dropdown.
      *: Mandatory field
    3. If the Approval Type = Email, enter/select the fields in the table below.
      Field Description
      *Select Email Enter a valid email address. Use either comma-separated email IDs, or a single variable like ${template_email}.
      *: Mandatory field
    4. If the Approval Type = LDAP Manager, enter/select the fields in the table below. This option enables approval based on the manager information retrieved from the LDAP directory.
      Field Description
      *Select LDAP Server Specifies which LDAP server to connect to for fetching user and manager details.

      Choose an existing LDAP server from the dropdown list or enter the connection URL manually.
      *Customize LDAP Query - Allows you to define or modify the LDAP query parameters used to identify the user and their manager. When enabled, additional fields appear to customize how LDAP attributes are queried.
      User Filter Attribute Defines the LDAP attribute used to locate the requesting user
      User Return Attribute Specifies which LDAP attribute should be retrieved from the user’s record to identify their manager.
      Manager Filter Attribute Defines the LDAP attribute used to locate the manager’s record in LDAP.
      Manager Return Attribute Specifies which attribute value from the manager’s record should be returned and used as the approver’s identifier (For example: email address).
      *: Mandatory field
    5. In the Delivery Method section, select the values as follows:
      Field Description
      Notify Via The dropdown has the value Email selected by default.
    6. In the Advanced Options section, select the values as follows:
      Field Description
      Allow Resubmission Enable the toggle button to allow resubmission of the policy request. The button is disabled by default.
      Enable Comments Enable the toggle button to allow approvers to add comments to the policy request. The button is disabled by default.
      *: Mandatory field
  3. From the Email Template tab, enter/select the information as follows:
    Field Description
    Template Name Choose an email template to customize approval notifications
    Email Templates Enable the toggle buttons to use any of the templates below:
    • Approval Request Template
    • Approval Confirmation Template
    • Approval Rejection Template

    To customize the email templates,

    1. Enable the toggle button of the respective email template
    2. Click the arrow icon next to the toggle button to expand/display the email contents.
    3. Edit the Email Subject, CC (Carbon Copy), and Email Content.
      Note: Users can copy predefined variables (For example: ${user.firstName}, ${user.lastName}) from the option on the top-right of the pop-up. Variables can be inserted into text content and at runtime, they are replaced with actual values.
    *: Mandatory field
  4. Click Add.
    The Approval template is displayed with the Edit and Delete icons and the option to further Add New Approval levels.
  5. Click the Save Template dropdown next to the Approval header, then select Save as New to create a new template and save this configuration as a reusable template for future use.
    The Save as Template pop-up is displayed.
  6. Enter the Template Name and enter a template Description. (Template names can include alphanumeric and the - (dash), _ (underscore), and space special characters.)
  7. Click Save on the pop-up.
    The Approval level template is saved successfully.
  8. Click Next.
    The fourth step, the Pre Issuance Taskpage is displayed.

Configuring Pre Issuance Tasks

This is an optional fourth step that lets you configure tasks to execute before certificate issuance. A Task panel is available on the right with five tasks as follows:
  1. ITSM - Create a ServiceNow Change Request before the execution.
  2. Notifications
    1. Send Notification via Email - Send an email notification to the specified recipients.
    2. Send Notification via Slack - Send a notification to a Slack channel using the configured webhook URL.
  3. Hook Execution - Initiates the execution of the selected hook.
  4. Configure Change Window - Allows users to configure a change window during which the policy tasks should be executed.

ITSM - Create a ServiceNow Change Request

Enter the following fields to configure the ServiceNow Change Request.
Field Description
Configuration tab
Configuration tab - ServiceNow Instance
Configure ServiceNow Instance Select or configure the type of ServiceNow instance.
Configuration tab - Change Request Fields
Type Defines the type of ServiceNow request to be created (For example: Normal, Emergency, Standard). Select the value from the dropdown.
Priority Specifies the urgency level or importance of the change request. Select the value from the dropdown (1-Critical, 2-High, 3-Moderate, 4-Low).
Short Description A brief summary or title describing the purpose of the change request.
Description A detailed explanation of the change request, including context or justification.
Category Classifies the change under a specific functional or operational category.
Risk Select the potential risk level associated with implementing the change. Select the value from the dropdown (VeryHigh, High, Moderate, Low, None).
Impact Specifies the extent to which the change might affect users, services, or infrastructure. Select the value from the dropdown (1-High, 2-Medium, 3-Low).
Urgency Reflects how quickly the change needs to be addressed or implemented. Select the value from the dropdown (1-High, 2-Medium, 3-Low).
Assignment Group The ServiceNow group responsible for reviewing and implementing the change.
CAB Required Specifies whether the change requires approval from the Change Advisory Board (CAB). Select value True or False.
Wait for State Change Determines whether AppViewX should pause workflow execution until the ServiceNow change request reaches a specific state. Select value True or False.
General Settings tab (Configure general execution settings for this task)
Continue On Failure Determines whether the policy execution should complete even after the task fails. The toggle button is disabled by default.
*: Mandatory field
Note: Users can copy predefined variables (e.g., ${user.firstName}, ${user.lastName}) from the option on the top-right of the pop-up. Variables can be inserted into text content and at runtime, they are replaced with actual values.

Notifications - Send Notification via Email

Enter the following fields to set up notifications for Email or Slack.
Field Description
Configuration tab
*Recipient Type Select either or all of the following:
  • User Group
  • User
  • Email
*User Group This field is enabled when Recipient Type = User Group.

Select single or multiple user groups.
*User This field is enabled when Recipient Type = User

Select single or multiple users.
*Email This field is enabled when Recipient Type = Email.

Enter a valid email address. Use either comma-separated email IDs, or a single variable like ${template_email}.
*Template Name Select the email template name.
*Email Subject This field is enabled when Notify Via = Email.

Enter the subject for the email. Use the Variables option to add database values as variables.
*Message Content Enter the message content for the email or slack. Use the Variables option to add database values as variables.
General Settings tab (Configure general execution settings for this task)
Continue On Failure Determines whether the policy execution should complete even after the task fails. The toggle button is disabled by default.
*: Mandatory field
Note: Users can copy predefined variables (e.g., ${user.firstName}, ${user.lastName}) from the option on the top-right of the pop-up. Variables can be inserted into text content and at runtime, they are replaced with actual values.

Notifications - Send Notification via Slack

Enter the following fields to set up notifications for Email or Slack.
Field Description
Configuration tab
*Slack Channel This field is enabled when Notify Via = Slack.

Select the slack channel.
*Message Content Enter the message content for the email or slack. Use the Variables option to add database values as variables.
General Settings tab (Configure general execution settings for this task)
Continue On Failure Determines whether the policy execution should complete even after the task fails. The toggle button is disabled by default.
*: Mandatory field
Note: Users can copy predefined variables (e.g., ${user.firstName}, ${user.lastName}) from the option on the top-right of the pop-up. Variables can be inserted into text content and at runtime, they are replaced with actual values.

Hook Execution

Enter the following fields to configure the hooks.
Field Description
Configuration tab
Configuration tab - Hook (Select a hook from the available inventory that you want to execute.)
Task Name Displays the default name of the task (Hook Execution). You can rename it if needed for clarity in the workflow.
Select Hook Choose the specific hook (script or API integration) to be executed within the workflow.
Configuration tab - Expose Variables
Do you want to expose hook response as variables for following tasks? Toggle this option to expose the hook’s response as variables for use in subsequent workflow tasks.

Enables or disables the ability to pass hook output values as input variables to later tasks in the workflow.
Output Variable Mapping Map output variables from the hook response to custom keys for easier reference in subsequent tasks. Paste the expected JSON response from the hook to view and select available variables.

Fields:

  • Variable Key: Enter a custom key name for the variable.
  • Output Variable: Select the output variable path from the JSON response (options include $.output, $.path, $.type).
To add variables, click button.
Expected Response Format Paste a sample JSON response from the hook in the output {} section. This helps AppViewX identify available response parameters for variable mapping and validation.
General Settings tab (Configure general execution settings for this task)
Continue On Failure Determines whether the policy execution should complete even after the task fails. The toggle button is disabled by default.
*: Mandatory field
Note: Users can copy predefined variables (e.g., ${user.firstName}, ${user.lastName}) from the option on the top-right of the pop-up. Variables can be inserted into text content and at runtime, they are replaced with actual values.

Configuring Change Window

This page allows users to define a specific change window a scheduled timeframe during which policy-related tasks can be executed.

Field Description
Configuration tab
Change Window Configuration Configure when policy changes are allowed to run. Use the Preview Windows option to visualize the scheduled change windows based on the selected configuration.
*Mode Selection Choose the frequency or recurrence pattern for the change window. The options available are as follows:
  • Daily: Executes policy tasks during the defined window each day.
  • Weekly: Executes tasks on specific days of the week.
  • Monthly: Executes tasks on specified dates or weeks within a month.
  • User Defined: Allows users to define a custom schedule or window duration.
Daily Schedule Settings This section is enabled when Mode Selection = Daily.
Enter the values in the following fields:
  • *Start Time (HH:MM)
  • *End Time (HH:MM)
Weekly Schedule Settings This section is enabled when Mode Selection = Weekly.
Enter the values in the following fields:
  • *Day of the Week - (select Monday, Tuesday etc.)
  • End Day of Week (Optional) (select Monday, Tuesday etc.)
  • *Start Time (HH:MM)
  • *End Time (HH:MM)
Monthly Schedule Settings This section is enabled when Mode Selection = Monthly.
Enter the values in the following fields:
  • *Day of the Month - (select date between 1-31)
  • End Day of Month (Optional) (select date between 1-31)
  • *Start Time (HH:MM)
  • *End Time (HH:MM)
Custom Date & Time This section is enabled when Mode Selection = User Defined.
Enter the values in the following fields:
  • *Explicit Start Time (YYYY-MM-DDTHH:MM:SSZ)
  • *Explicit End Time (YYYY-MM-DDTHH:MM:SSZ)
*Missed Window Policy Determines the system behavior if a task misses its scheduled change window. Options include:
  • Run Next Window: The task will automatically run during the next available window.
  • Skip: The missed task will be skipped without execution.
  • Fail Immediately: The task will fail immediately if it cannot execute within the defined window.
Allow Override Enables authorized users or groups to allow execution outside the defined change window.
Override Type This field is enabled when Allow Override toggle is enabled.

Select from User Group or User.
User Group This field is enabled when Allow Override toggle is enabled and Override Type = User Group

Select User Group from the dropdown.
User This field is enabled when Allow Override toggle is enabled and Override Type = User

Select User from the dropdown.
General Settings tab (Configure general execution settings for this task)
Continue On Failure Determines whether the policy execution should complete even after the task fails. The toggle button is disabled by default.
*: Mandatory field
Note: Users can copy predefined variables (e.g., ${user.firstName}, ${user.lastName}) from the option on the top-right of the pop-up. Variables can be inserted into text content and at runtime, they are replaced with actual values.

Certificate Enrollment

This is an optional fifth step where the certificate enrollment is handled automatically by the Internal API. You may proceed to the next step. There are no actions required on this page.
  • Click the Next button to move to the next step, Post-Onboarding.

Configuring Post Issuance Settings

The sixth step in the enroll certificate process is to configure tasks to execute after certificate issuance. These are additional tasks that run after the main action completes. The Task panel on the right has the following tasks to be configured:
  1. Send Notifications via Email (For details, click here)
  2. Send Notifications via Slack (For details, click here)
  3. Email certificates in zip format (see section below)
  4. Hook Execution (For details, click here)

Email Certificates in Zip Format

This task is used to configure an email containing the certificates packaged in a ZIP file to be sent to the requester.
Field Description
Configuration tab
*Certificate Type Select any of the following certificate types:
  • PEM (*.crt)
  • PEM (*.cer)
  • DER (*.crt)
  • DER (*.cer)
  • PKCS#7 Binary (*.p7b)
  • PKCS#7 PEM (*.p7b)
  • PKCS#12 (*.p12)
  • PKCS#12 (*.pfx)
  • JKS (*.jks)
Include Root and Intermediate This checkbox is enabled only for the following certificate types.
  • PEM (*.crt)
  • PEM (*.cer)
  • DER (*.der)
If the checkbox is selected, the certificate chain will be included and sent via email.
General Settings tab (Configure general execution settings for this task)
Continue On Failure Determines whether the policy execution should complete even after the task fails. The toggle button is disabled by default.
*: Mandatory field
Note: Users can copy predefined variables (e.g., ${user.firstName}, ${user.lastName}) from the option on the top-right of the pop-up. Variables can be inserted into text content and at runtime, they are replaced with actual values.

Configuring Event Notifications

The final step in the enroll certificate process is to send email notifications to users, groups, or external recipients on certificate enrollment lifecycle events.
  1. Certificate Request Initiated (Event triggered when a new certificate request is initiated.)
  2. Certificate Request Submitted To CA (
  3. Certificate Request Approved By CA

To configure any of the above emails,

  1. From the notification panel on the right, click any of the specific emails to be configured. The <email_name> pop-up is displayed.
    The <email_name> pop-up is displayed.
    Note: All the email templates have the same fields, see to the table below to configure any of the emails.
  2. Enter the following details in the email configuration pop-up.
    Field Description
    *Notify Via Select from the following:
    • Email
    • Slack
    *Recipient Type This field is enabled when Notify Via = Email.

    Select either or all of the following:

    • User Group
    • User
    • Email
    *Slack Channel This field is enabled when Notify Via = Slack.

    Select the slack channel.
    *User Group This field is enabled when Notify Via = Email and Recipient Type = User Group.

    Select single or multiple user groups.
    *User This field is enabled when Notify Via = Email and Recipient Type = User

    Select single or multiple users.
    *Email This field is enabled when Notify Via = Email and Recipient Type = User Email.

    Enter a valid email address. Use either comma-separated email IDs, or a single variable like ${template_email}.
    *Template Name This field is enabled when Notify Via = Email.

    Select the email template name.
    *Email Subject This field is enabled when Notify Via = Email.

    Enter the subject for the email. Use the Variables option to add database values as variables.
    *Message Content Enter the message content for the email or slack. Use the Variables option to add database values as variables.
    *: Mandatory field
    Note: Users can copy predefined variables (e.g., ${user.firstName}, ${user.lastName}) from the option on the top-right of the pop-up. Variables can be inserted into text content and at runtime, they are replaced with actual values.
  3. Click Add.
    The email templates are created successfully.
  4. Click Finish at the bottom of the screen to complete the enroll certificate policy creation.