Custodian Management

Custodians are responsible for approving any action performed in PKI. Custodians are the individuals responsible for issuance of root and intermediate certificates. They approve or reject any action performed on the CA certificates. Custodians typically work in a M-of-N model (or M/N model) to ensure high levels of security and prevent unauthorized issuance of certificates.

Onboard at least two custodians before creating CA hierarchy. You can complete the addition of custodians by going to (Menu) icon > PKI+ > Custodian Management with the following privileges under RBAC roles and resources.
  1. Roles automation > service request full
  2. PKI+ > view all (optional)
  3. Resources > workflow studio, workflow request > PKIaaS, approval_request
Note: No CA action is possible until at least two active custodians are in the system.
Any administrator can add custodians from the Custodian Management page if the key ceremony admins are not configured. Key ceremony admins are an additional layer of control delegation on who can have the authority to add or modify custodians. This is an optional field. Key ceremony admins cannot be added as custodians.
Note: Only two key ceremony admins can be added.

Key Ceremony Process

Virtual key ceremony in AppViewX PKI is where customers can set a closed group of CA administrators (custodians).

The approvals are based on a M(N) method with a user-defined quorum value, where M is the minimum number of custodians required to approve an action, and N is the total number of custodians available. A Quorum value is the minimum percentage of the number of custodians that must agree or participate to authorize an action or to make a decision regarding the lifecycle of CA Certificates. The default quorum is set to 51%, for example, if the custodian group has three members, then at least two custodians must approve any action to achieve 51% of quorum.

The first custodian is auto-approved and the approval flow gets triggered after adding the second custodian. On adding the second custodian, the individual receives a notification stating Email Verification - Pending. Once the email verification is completed, an approval link is sent to the first custodian. Upon approval, the second custodian transitions to the active state.