CPS-Driven Certificate Policy Creation

Upload a Certificate Practice Statement (CPS) document within AppViewX CLM Native PKI settings, review the AI-extracted parameters, and generate a CLM Certificate Policy automatically from the approved inputs.

AppViewX PKI now enables administrators to upload a CPS PDF, automatically parse its contents using an AI framework (AWS Bedrock), review the extracted cryptographic and validity parameters, and generate a production-ready CLM Certificate Policy eliminating manual re-entry and reducing the risk of misconfiguration.

This workflow consists of three sequential phases:

  1. Phase 1: Upload and parse the CPS document.
  2. Phase 2: Review and approve the AI-extracted parameter values.
  3. Phase 3: Generate the CLM Certificate Policy from approved inputs.
Restriction: AI-powered CPS parsing is available on SaaS deployments only. On-premises and Managed Kubernetes environments support CPS document upload and storage, but do not perform AI-driven extraction.
Before you begin:
  • AppViewX CLM Native PKI must be configured with an active Native CA.
  • ACF (AppViewX Certificate Framework) must be enabled for the tenant.
  • You must have Settings - Add/Modify RBAC permission.
  • The CPS document must be in PDF format and must not exceed 4 MB.
  • You are working in a SaaS deployment.

Phase 1: Upload and Parse the CPS Document

  1. Go to PKI > Settings and open the Native CA configuration entry.
  2. Locate the CPS Document section and click Upload CPS Document.
  3. Select a PDF file (maximum 4 MB) and click Upload.

    The platform processes the document through the following stages:

    1. Reading the PDF content.
    2. Parsing and identifying policy-relevant sections (Sections 6.x and 7.x).
    3. Sending extracted text to the AWS Bedrock AI framework.
    4. Receiving and structuring the parsed parameter output.
    Important: The parsing process is synchronous. Do not navigate away while processing is in progress. If the AI service fails, a notification is displayed; re-upload the document to retry.
    Restriction: A maximum of 10 CPS uploads with AI parsing are permitted per tenant per calendar day. An 11th upload attempt displays a "daily limit reached" message and the upload is blocked.
  4. Confirm that the success banner is displayed indicating that upload and parsing are complete.

Phase 2: Review and Approve Extracted Parameters

  1. In the Review & Approve interface, examine the parameters extracted from the CPS document.

    Parameters are grouped into three sections:

    Section Mandatory Description
    Key Parameters Yes Validity period, key algorithm, bit length, hash algorithm, ECC curves. All must be approved before Generate Policy is enabled.
    Certificate Parameters No CSR fields (Common Name, Organization, SAN, etc.). Not auto-parsed; must be filled in manually. Can be approved, rejected, or left blank.
    CA Settings Yes CA account, issuer name, and group selection. Completed in the policy creation form.
  2. For each mandatory parameter in the Key Parameters and Validity Period sections, perform one of the following actions:
    • Click Approve to accept the extracted value.
    • Click Modify to edit the value inline, then click Save to update it, and click Approve.
    Note: Mandatory fields cannot be rejected. The Reject option is not available for Key Parameters or Validity Period.
  3. For optional Certificate Parameters, enter values as needed and click Approve, or click Reject to exclude the parameter from the policy.
    Note: If a certificate parameter has no parsed value and you do not enter one, leave it without an action. It will not be included in the generated policy.
  4. Optional: To approve all parameters at once, click Approve All.
  5. Optional: To discard the current AI output and start over, click Start Over.
    CAUTION: Start Over discards all review decisions. You must re-upload the CPS document to begin a new extraction.
  6. Verify that the review summary confirms all mandatory fields have been reviewed and that the Generate Policy button is now active.
    Note: If the Generate Policy button is still disabled, hover over it. The tooltip reads: Please approve or reject all the pending extracted values. Locate and action the remaining pending mandatory fields.

Phase 3: Generate the Certificate Policy

  1. In the CA Settings section, select the CA Account, Issuer Name, and assign a Group.
    Note: Only groups that are not already associated with another policy are listed in the Group dropdown.
  2. Enter a Policy Name.
  3. Click Generate Policy.

    The system:

    • Creates a CLM Certificate Policy using all approved inputs.
    • Populates any missing fields with system default values.
    • Associates the policy with the selected Native CA.
    Important: If mandatory policy parameters are absent from the approved inputs, policy creation is blocked. The system prompts you to supply the missing values before proceeding.
  4. After successful creation, perform one of the following actions:
    • Click View Policy to open and optionally edit the generated policy.
    • Click Download CPS to save the source CPS PDF for reference.
    • Click Upload Another CPS to begin a new CPS upload and parsing cycle.
A CLM Certificate Policy has been created from the CPS document. The policy is immediately active and fully editable. All operations are recorded in the audit log with the document name, policy name, timestamp, and the username of the administrator who performed each action.
  • Review the generated policy in CLM to verify all parameter values are correct.
  • Modify or extend the policy as needed using the Modify button on the policy page.
  • Assign the policy to the appropriate certificate templates or workflows.

Troubleshoot CPS upload and policy generation issues

Use the following table to resolve common issues with CPS upload and policy generation. Identify your issue in the table and follow the resolution steps.
Issue Resolution
Upload fails with "Invalid file type" Ensure the document is in PDF format. Other file types are not accepted.
Upload fails with "File exceeds maximum size" Reduce the PDF file size to 4 MB or below before uploading.
"Daily upload limit reached" message The tenant has reached the 10-upload daily limit for AI parsing. Wait until the next day to upload again.
AI parsing fails or returns no values The AI service encountered an error or could not extract parameters. A notification is displayed. Re-upload the document or contact support if the issue persists.
Generate Policy button remains disabled One or more mandatory Key Parameter or Validity Period fields are still in Pending status. Hover over the button to see the tooltip, then approve or modify the remaining fields.
A previously selected CA is no longer in the dropdown The CA may have been decommissioned or its metadata is unavailable. Contact your PKI administrator.
CPS parsing produces unexpected or incorrect values AI parsing is best-effort. Review each extracted value carefully and use the Modify action to correct any inaccurate values before approving.