When to Use Approvals
Separation of duties
Different people must request and approve certificate issuance.
Sensitive certificates
Production or customer-facing certificates need additional review.
Compliance requirements
Regulatory frameworks require documented approval before issuance.
Prevent unauthorized issuance
Ensure certificates are only issued after proper validation.
For fully automated workloads (e.g., using Infisical Agent), enable the machine identity bypass option so automated systems can issue certificates without waiting for approval.
How Approval Policies Work
An approval policy defines the workflow that must be completed before certificates are issued. Policies are configured per Application and can be scoped to specific profiles attached to that Application. When a certificate request is made through an enrollment method:- Request enters pending state
- Approvers receive an in-app notification and an email with a link to the request (if configured)
- Each approval step must be completed in sequence
- Once all steps are approved, the certificate is issued
Create an Approval Policy
In your Application, go to the Settings tab and find the Approval Policies section. Click Create Policy.1
Configure basic settings
2
Configure approval steps
Each step defines who can approve and how many approvals are required:
Example multi-step workflow:
- Team Lead Review — Requires 1 approval from team leads
- Security Review — Requires 2 approvals from security team
3
Review and create
Review your configuration and click Create.
Managing Approval Requests
View Requests
In the Certificate Manager sidebar, go to Approval Requests to see all pending and completed requests:Approve a Request
1
Open the request
Click on a pending request to view details.
2
Review certificate details
Verify the request information:
- Requester name and email
- Certificate profile
- Common name and SANs
- Key usages and validity period
3
Approve
If you’re an eligible approver for the current step, click Approve.
Reject a Request
1
Open the request
Click on a pending request.
2
Reject with reason
Click Reject and optionally add a comment explaining why.
FAQ
I approved a request but the certificate wasn't issued
I approved a request but the certificate wasn't issued
If the policy has multiple steps, your approval may have completed only one step. The certificate is issued only after all approval steps are completed. Check the request details to see which step is currently pending.
Can I use approvals with ACME or EST?
Can I use approvals with ACME or EST?
Yes, approval policies work with any enrollment method. However, automated clients like Certbot typically can’t wait for human approval. Consider using the machine identity bypass for automated workloads.
What happens when a request expires?
What happens when a request expires?
The request moves to Expired status and no certificate is issued. The requester must submit a new request.
Can requesters approve their own requests?
Can requesters approve their own requests?
By default, yes — if they’re listed as an eligible approver. For separation of duties, configure approver groups that exclude potential requesters.