Automating Public Certificate Creation and Domain Validation with AppViewX

Procuring certificates in an organization always involves multiple teams. There are teams who require SSL certificates to be deployed on their servers, applications, EKS clusters, and more. And, it is standard to have teams that are in charge of evaluating the request and creating CSRs or having obtained the CSRs procure the certificates. To add to the complexity, there are teams that are responsible for providing approval on finance and also domain validation when the certificates are requested. This increases the time required for a certificate to be obtained as there are multiple teams involved.

This article addresses the aforementioned scenario which is found in most organizations by automating the process with the help of AppViewX CERT+. In this illustration, we are considering public certificates with the ACM (AWS Certificate Manager) and DCV (Domain Control Validation) with Cloudflare.

Let us break down the entire process and see how AppViewX CERT+ optimizes the process and how it also eliminates many of the manual steps that are required by security and network administrators.

The certificate can be requested by disparate teams. AppViewX CERT+ provides single-pane-of-glass visibility for multiple teams to log in and request a certificate. In this example, AppViewX CERT+ leverages a VW (Workflow) where the user provides the necessary details (Common Name, SAN, etc) as input in the form. The RBAC (Role Based Access Control) can give granular control on who can access different features of the product and thereby allowing features to be visible only for certain users/teams.

The requester submits the VW and it then moves to the approval palette. This feature when included allows administrators to be notified that there is a request for a certificate. Note, that the approval palette can also send an email to administrators to notify them about the new request. Additionally, the email can also have an option to approve or reject the request.

Now, if the VW is approved, the same VW request will move forward and communicate with the ACM and request a certificate. Here is the AppViewX CERT+ automation which takes charge and eliminates any manual intervention where the need to login into the AWS console and create an SSL certificate request is removed. All the administrator did was approve the request.

AppViewX CERT+ then records the CNAME values which are used for the DCV (DNS method recommended by AWS). Once the CNAME values are fetched, AppViewX CERT+ then creates the record on Cloudflare. It is imperative to note that the request to create the certificate on AWS and submit the CNAME value on Cloudflare is done in a matter of minutes. This on the other hand if it were done manually by different teams could take days to complete.

Once, the record is published, the AppViewX CERT+ VW goes into a waiting state until the ACM performs the DCV and issues a certificate. When the ACM issues the certificate, AppViewX CERT+ onboards the certificate into its inventory.

The certificate can then be downloaded or the VW can even email the certificate to the requester’s email address or the team’s email address.

The whole process is now automated where administrators are only responsible to approve or reject the request. This decreases the time required to procure a new certificate and also encourages SSL adoption in an organization which is essential these days for ensuring security.