Policies for Workload Identity Manager¶

A policy is a set of rules that constrain how Workload Identity Manager issues certificates. For example, a rule can require a specific key type or restrict which SANs a certificate can contain. Workload Identity Manager enforces these rules at issuance time, so only certificates that match the policy are issued.

Before creating policies, create a subordinate CA provider.

Constrain policy fields in Production

A policy field set to Optional with no allowed values will accept any value a client requests. In Production, this means an authorized client could obtain a certificate with any identity, including those from other tenants or services.

To prevent this, constrain fields in your Production policies as follows:

In the Common Name and DNS SAN fields, use Required or Locked with explicit allowed values.
In any SAN fields your workloads do not need, use Forbidden.
Only use Optional for development and testing.

See field types for details on each setting.

To create a policy¶

Create your policy to specify the rules with which end entities must comply.

Sign in to Certificate Manager - SaaS.
Click Policies > Workload Issuance Policies.
On the Policies page, click New.
Enter a Name for your new policy.
Specify a Client Cert Validity.
- If the Workload Identity Manager client specifies a validity in their request, this is the maximum that will be allowed, but it will allow a lower value from the request.
- If the Workload Identity Manager client doesn't specify a validity, this value will be used.

Specify the Subject and Subject Alternative Names (SAN), which are used as the rules with which end entities must comply. The input fields accept both literal strings and regular expressions.

The Subject and SAN fields are standard TLS certificate fields. The Subject identifies the owner of the certificate. The SAN fields restrict how the certificate can be used; if it is used in a way not listed on the SANs, it won't be trusted.

What's a type?

Types are how Workload Identity Manager determines whether or not a specific CSR is valid.

Ignored Use for properties that you don't want to appear in the issued certificate (whether it's requested or not).
Forbidden Use for properties that you don't want included in the CSR.
Optional Use for properties that you want included in the issued certificate; it will appear there as long as it complies with policy. The request will fail for properties that are requested but don't comply with policy. Also, if a property is not present in the request and policy default value will appear in the issued certificate (does not apply to CN or SANs).
Required Use to require that a field must be specified in the CSR.
Locked Use to prevent users from changing the common name you specify; and also to prevent adding additional common names.

How do I use Default Value for subjects?

If the type is Optional, the Default Value determine what will be entered on the CSR if nothing is included in the request.
If the type is Locked, the Default Value is the only valid value and cannot be changed by a request.

Using regular expressions

The Subject and SAN fields accept both literal strings and regular expressions. To enter a regular expression value you must prefix it with the caret ^ symbol, and always append the $ symbol at the end. If you require a suffix, you can always use .*$.

Some examples of common uses¶

Common Name (CN) example that allows all subdomains of acme.com:

^(?:\.|(?:[A-Za-z0-9-]+\.)*)acme\.com$

DNS (SAN) example that allows all subdomains except wildcards for acme.com:

^[a-zA-Z0-9_-]+[.]acme[.]com$

IP Addresses (SAN) example that ensures the value complies with RFC 1918 (IPv4 private address):

^(?:10(?:\.\d{1,3}){3}|172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2}|192\.168(?:\.\d{1,3}){2})$

URI (SAN) example that allows any subdomain of acme.com that starts with https://, ldaps://, or spiffe://:

^(https|ldaps|spiffe)://.*\.acme\.com$

Email Addresses (SAN) example that allows all addresses that end in acme.com:

^(?:[A-Za-z0-9._%+-]+)?@acme\.com$

Regular expression syntax reference¶

Syntax	Description	Example	Matches
`*`	Matches any number of characters including none.	`^.*[.]acme[.]com`	site-1.acme.com, www.acme.com, *.acme.com
`.`	Matches a single character.	`^.?team[.]acme[.]com`	ateam.acme.com, bteam.acme.com, 1team.acme.com
`[abc]`	Matches one character given in the bracket.	`^[tmb]ike[.]acme[.]com`	tike.acme.com, mike.acme.com, bike.acme.com
`[a-z]`	Matches one character from the range given in the bracket.	`[w-z]-net[.]acme[.]com`	w‑net.acme.com, x‑net.acme.com, y‑net.acme.com, z‑net.acme.com
`[^0-9]`	Matches one character outside the range given in the bracket.	`^[^0-3][yz][.]acme[.]com`	4y.acme.com, 5z.acme.com, 6y.acme.com

Under Key Constraint, select one or more key algorithms.
- If there is only one key algorithm, the Workload Identity Manager's clients must use that algorithm.
- If there are multiple key algorithms, the Workload Identity Manager's clients can use any of the approved algorithms. If no algorithm is specified, the one specified as the Default Value will be used.
- Key algorithms are always Required type.
Select Issuance Parameters options.
- Key usage. For a TLS certificates, select both Digital Signature AND Key Encipherment.
- Extended key usage. Select one or more of the following:
  - If issuing server certificates, select Server Authentication.
  - If issuing client certificates, select Client Authentication.
When you're finished, click Create.

What's next?¶

Now that you have created a policy, your next step is to create a service account that will allow the Workload Identity Manager server to connect to CyberArk Certificate Manager - SaaS using a specific configuration (that you will configure in a future step). However, before you can create a service account, you will need to create a team, if you haven't yet.

What do you want to do?

I don't have a team (or I don't know if I do), so take me to the documentation on teams.
I know my team is configured, so take me to the service account documentation.