CA Access Policies

This section describes the robust CA Access Policy management feature, which allows administrators to define granular rules for controlling who can request certificates from a specific Certificate Authority, under what conditions, and with what approval workflow. This is a critical component for enforcing security, compliance, and automation within the PKI.

Key Functionalities

Policy Listing

Endpoint: /ca/{ca}/policies
Description: Displays a paginated list of all access policies associated with a particular Certificate Authority.
Ordering: Policies are displayed in ascending order of their priority.

Policy Creation

Endpoints:
- GET /ca/{ca}/policies/create: Displays the form for creating a new CA access policy.
- POST /ca/{ca}/policies: Submits data to create a new policy.
Comprehensive Configuration: Policies can be configured with a wide array of rules and settings, including:
- Basic Information: name (required, max 255 chars), priority (required integer 1-1000), approval_type (required: automatic, manual, workflow).
- Access Controls:
  - allowed_ips: Array of IP addresses or CIDR blocks (e.g., 192.168.1.0/24).
  - allowed_domains: Array of email domains (e.g., @example.com).
  - allowed_users: Array of specific email addresses.
  - blocked_users: Array of specific email addresses.
- OAuth Integration:
  - require_oauth: Boolean to enforce OAuth authentication.
  - oauth_provider: microsoft, google, okta, custom.
  - oauth_tenant_id, oauth_client_id.
  - oauth_required_groups: Array of group names required for access.
  - oauth_require_device_compliance: Boolean (provider-dependent).
  - Provider-specific settings (e.g., oauth_domain, oauth_workspace_only for Google; oauth_okta_domain for Okta).
- Time-based Controls:
  - allowed_hours_start, allowed_hours_end (HH:mm format), with an optional timezone.
  - allowed_days: Array of integers (1-7, Monday=1) for allowed days of the week.
  - valid_from, valid_until: Date range for the policy's active period.
- Rate Limiting:
  - max_certificates_per_hour: Maximum certificates per hour under this policy.
  - max_certificates_per_day: Maximum certificates per day under this policy.
  - max_certificates_per_user_per_day: Maximum certificates per user per day under this policy.
  - max_certificate_validity_days: Maximum validity in days for certificates issued under this policy (1-3650 days).
- Workflow Settings:
  - approval_workflow: (Array, details for complex workflows).
  - require_justification: Boolean to require a justification for certificate requests.
  - notify_on_issue: Boolean to send notifications upon certificate issuance.
  - notification_emails: Array of email addresses to notify.
- Certificate Template Defaults:
  - default_key_size: Default key size (e.g., 2048).
  - default_hash_algorithm: Default hash algorithm (e.g., sha256withRSAEncryption).
  - default_validity_days: Default validity in days (capped by max_certificate_validity_days).
Audit Logging: Records policy creation events.

Policy Details

Endpoint: /ca/{ca}/policies/{policy}
Description: Displays detailed information about a specific CA access policy.

Policy Updates

Endpoints:
- GET /ca/{ca}/policies/{policy}/edit: Displays the form for editing an existing policy.
- PUT/PATCH /ca/{ca}/policies/{policy}: Submits data to update a policy.
Audit Logging: Records policy update events, including both old_values and new_values for comprehensive auditing.

Policy Deletion

Endpoint: DELETE /ca/{ca}/policies/{policy}
Description: Deletes a specific CA access policy.
Audit Logging: Records policy deletion events.

Toggle Policy Status

Endpoint: POST /ca/{ca}/policies/{policy}/toggle
Description: Activates or deactivates an access policy (is_active flag).
Audit Logging: Records policy activation/deactivation events.

Policy Testing

Endpoint: POST /ca/{ca}/policies/{policy}/test
Description: Provides a simulation tool to test the effectiveness of a policy's rules against various inputs.
Test Inputs: Allows testing with test_ip, test_email, and test_time (for time-based rules).
Results: Returns simulated results for ip_access, user_access, time_access, and rate_limits checks.

Inferred Specifications

Granular Access Control: Policies enable highly granular control over certificate issuance, based on a combination of IP addresses, user identities, email domains, OAuth attributes, and time constraints.
Policy Prioritization: The priority field allows administrators to define the order in which policies are evaluated, enabling complex rule sets with fallback mechanisms.
Flexible Approval Workflows: Support for automatic, manual, and workflow approval types provides adaptability to different organizational security requirements.
OAuth Integration: Deep integration with OAuth providers (Microsoft, Google, Okta) allows leveraging existing identity management systems for authentication and authorization, including group membership and device compliance checks.
Time-Based Restrictions: Policies can enforce time-of-day and day-of-week restrictions, as well as overall validity periods, for certificate requests.
Rate Limiting: Built-in rate-limiting capabilities prevent abuse and ensure fair resource utilization for certificate issuance.
Customizable Certificate Templates: Policies can define default cryptographic parameters (key size, hash algorithm) and validity periods for certificates issued under them, ensuring consistency and adherence to standards.
Comprehensive Audit Trail: All lifecycle events of CA access policies (creation, updates, deletions, status changes) are meticulously logged, providing a complete audit trail for compliance and security analysis.
Policy Simulation: The integrated policy testing tool allows administrators to validate policy rules before deployment, reducing errors and ensuring desired behavior.
Middleware Protection: The controller itself is protected by authentication and permission middleware, ensuring that only authorized personnel can manage CA access policies.