⚙️ Workflow Management
This guide explains step by step how to configure certificate lifecycle automation rules, create and manage workflows in SecTrail CM.
Workflow management enables you to automate certificate renewal, deployment, and notification processes. With server-based automation rules, you can centrally manage certificate lifecycles.
Automatic Operation Principle: Once configured, the system regularly monitors certificate expiration based on your renewal threshold value (e.g., 15 days). As expiration approaches, it automatically initiates the workflow steps you've defined (approval, renewal, deployment) and performs certificate renewal and installation when the time comes.
Workflow Policies List
View and manage all created workflow policies.
To access workflow policies: Go to Workflow → Policy menu.
Workflow Policies - All Automation Rules
List Information
The following details are displayed for each policy in the workflow list:
| Column | Description |
|---|---|
| Workflow Identifier | Automatically generated unique identifier for the workflow (e.g., ST-0b6c4befb1) |
| Created At | Policy creation date and time |
| Type | Workflow type (Certificate-Renewal-Confirmation, Certificate-Renewal, Deliver, Deployment) |
| Common Name | Common name information of the certificate to which the workflow applies |
| Certificate Signature Types | Certificate signature type (ACME, RSA, ECDSA) |
| Certificate Expire Date | Expiration date of the associated certificate |
| Actions | Action buttons for editing and deleting |
| Status | Workflow status: Active or Inactive |
Workflow Details
Each workflow record can be expanded to view detailed information:
Detail Fields
- Renewal Confirmation Mails: Email addresses for renewal approval notifications
- CA Type: Certificate authority type used (ACME, Internal CA)
- Deliver mails: Email addresses to receive certificate delivery notifications
- Host: Server IP address for deployment
- Device Type: Target device type (Apache, Nginx, F5, etc.)
- Virtual Host: Virtual host configuration
- ServerName: Server name information
Available Actions
Top Menu Actions
- Add New Flow - Create new workflow policy
- Search - Search workflows by identifier number
- Edit - Edit existing policy (pencil icon)
- Delete - Delete policy (trash icon)
- Expand/Collapse - Show/hide detail information
Deleting an active workflow will stop automatic certificate renewal and deployment processes. Make sure before deleting.
Creating New Workflow
Create certificate lifecycle automation rules.
To create a new workflow: Click the Add New Flow button on the Workflow → Policy page.
Creating New Workflow Rule
Basic Configuration
1. Workflow Type and Certificate Selection
| Parameter | Description | Options |
|---|---|---|
| Workflow Type | Specify the automation rule type | Server Based Automation |
| Discover Certificate | Select the discovered certificate to which the workflow applies | Certificate selection from discovery list |
| Select Servers | Specify the servers where automation will run | IP address or hostname selection (supports multiple selection) |
| Renewal Threshold | Certificate renewal threshold value (days) | How many days before certificate expiration to renew (default: 15) |
| Template | Certificate template to use | Selection from predefined templates |
Steps
- Select
Server Based Automationas Workflow Type - Select the relevant certificate from the Discover Certificate dropdown
- Select target servers in the Select Servers field (multiple servers can be selected)
- Enter the number of days for Renewal Threshold (e.g., 15)
- Select the appropriate template from the Template dropdown
2. Deployment Configuration
Deployment Settings
Configure certificate deployment parameters.
| Parameter | Description |
|---|---|
| Deployment | Enable automatic deployment (checkbox) |
| Devices | Select target device type (F5, Apache, Nginx, etc.) |
| Virtual Hosts | Select virtual host configurations for deployment |
| Devices (Secondary) | IP address for secondary devices |
| Virtual Hosts (Secondary) | Secondary virtual host configurations |
| Deployment Time | Time when deployment will occur (in HH:MM format) |
| Retry Limit | Number of retries for failed deployment |
Configuration Steps
- Check the Deployment checkbox
- Select the device type from the Devices dropdown
- Select relevant configurations for Virtual Hosts
- Enter IP address for secondary devices
- Enter time information in the Deployment Time field (e.g., 01:00)
- Specify the number of retries for Retry Limit (e.g., 1)
3. Confirmation Configuration
Approval Notifications Settings
Configure approval processes for certificate renewal and deployment.
| Parameter | Description |
|---|---|
| Confirmation | Enable confirmation mechanism |
| Renewal Confirmation Emails | Email addresses for renewal approval (comma-separated) |
| Renewal Confirmation Emails Content | Content of renewal approval email |
| Deployment Confirmation Emails | Email addresses for deployment approval |
| Deployment Confirmation Emails Content | Content of deployment approval email |
Configuration Steps
- Check the Confirmation checkbox
- Enter email addresses in the Renewal Confirmation Emails field
- Write the email text in the relevant content field
- Repeat the same steps for Deployment Confirmation Emails
- Add additional email addresses with the Add More button
4. Notification Configuration
Notification Settings
Configure notification parameters for workflow processes.
| Parameter | Description |
|---|---|
| Notification | Enable notification mechanism |
| Notification E-mail | Email addresses to receive notifications |
| Workflow Confirmation Error Message/Mail Subject | Confirmation error email subject and content |
| Workflow Renewal Error Message/Mail Subject | Renewal error email subject and content |
| Workflow Deployment Error Message/Mail Subject | Deployment error email subject and content |
| Workflow Completed Message/Mail Subject | Successful completion email subject and content |
5. Send Certificate via Email
Send Certificate via Email
Automatically send renewed certificates via email.
| Parameter | Description |
|---|---|
| Send Inventory Certificate via Email | Enable email sending feature |
| Email to be sent | Email addresses to receive the certificate |
| BCC | Email addresses to receive blind copy |
| Mail Subject | Email subject line |
| Mail Text | Email content text |
Configuration Steps
- Check the Send Inventory Certificate via Email checkbox
- Enter recipient email addresses in the Email to be sent field
- Add blind copy recipient addresses in the BCC field
- Write an appropriate subject for Mail Subject (e.g., "SecTrailCM Renewed Certificate")
- Enter the email content in the Mail Text field
- Click the Create button to save the workflow
Workflow History
View the execution history and details of created workflows.
To access workflow history: Click on a workflow identifier in the Workflow → Processes list.
Workflow History - Process Steps
History Information
The following information is displayed for each workflow execution:
| Column | Description |
|---|---|
| Type | Operation type (Certificate-Renewal-Confirmation, Certificate-Renewal, Deliver, Deployment) |
| Status | Operation status (Completed, Failed, Pending) |
| Deployment Id | Deployment identification number |
| Details | Operation details and descriptions |
| Created At | Operation start date and time |
| End At | Operation completion date and time |
Status Indicators
| Status | Description |
|---|---|
| 🟢 Completed | Operation completed successfully |
| 🔴 Failed | Operation failed |
| 🟡 Pending | Operation in progress |
Deployment Details
When deployment records are expanded, the following details are displayed:
- Devices: Target device list (e.g., f5_prod)
- IP: Target server IP address
- Port: Target port number
- Virtual Host: Related virtual host configuration
- Type: Deployment type (Client-Side, Server-Side)
- Profile Name: Profile name used
Sample Deployment Record
• Devices: f5_prod
• IP: 10.34.23.213
• Port: 443
• Virtual Host: Eğitim-SecTrail-Redirection
• Type: Client-Side
• Profile Name: wildcard_bntpro_com_2024_Q4_ST-4cb3205188
Search and Filtering
- Search: Search by workflow identifier
- Date Filter: Filter history records by date range
- Status Filter: Filter records by status
At the bottom of the list, you can navigate through "Showing 1 to 5 of 5 entries" information and page numbers.
Workflow Scenario Example
Below is a step-by-step workflow configuration with a real-world use case scenario.
Scenario: Automatic Wildcard Certificate Renewal and Deployment
Situation: Your company uses a wildcard certificate for *.bntpro.com. This certificate is used on multiple servers (Apache, F5 load balancer).
Requirement: The certificate should be automatically renewed before expiration and deployed to all servers.
Step 1: Certificate Discovery
- Create a certificate discovery rule from the Discovery → Discovery List menu
- Add target servers (
10.34.23.213,10.34.24.181,cm.bntpro.com:443) - Start discovery and wait for certificates to be detected
Step 2: Workflow Creation
- Click the Add New Flow button from the Workflow → Workflow Policies page
- Workflow Type: Select
Server Based Automation - Discover Certificate: Select
CN=bntpro.com - 21-01-2026 09:52:47 - Select Servers: Select all servers
10.34.23.213:44310.34.24.181:443cm.bntpro.com:4430.0.0.0:443crm.bntpro.com:443sa.bntpro.com:443
- Renewal Threshold: Set to
15days - Template: Select
lets_encrypt_template
Step 3: Deployment Configuration
- Check the Deployment checkbox
- Devices (Primary): Select
f5_prod - Virtual Hosts (Primary):
Eğitim-SecTrail-Redirection - wildcard_bntpro_com_2024_Q4_ST-ad038846dc2 - 10.34.23.213:443Eğitim_ss - wildcard_bntpro_com_2024_Q4_ST-ad038846dc2 - 192.192.192.193:443
- Devices (Secondary):
10.34.24.181 - Virtual Hosts (Secondary):
cm.bntpro.com -*443 - Deployment Time:
01:00(1:00 AM) - Retry Limit:
1
Step 4: Confirmation Mechanism
- Check the Confirmation checkbox
- Renewal Confirmation Emails:
admin@example.com, sdg-dev@bntpro.com, destek@bntpro.com - Deployment Confirmation Emails:
admin@example.com
Step 5: Notification Configuration
- Check the Notification checkbox
- Notification E-mail:
admin@example.com - Workflow Confirmation Error Message
- Workflow Renewal Error Message
- Workflow Deployment Error Message
- Workflow Completed Message
Step 6: Email Delivery
- Check the Send Inventory Certificate via Email checkbox
- Email to be sent:
admin@example.com, sdg-dev@bntpro.com, destek@bntpro.com - BCC:
admin@example.com - Mail Subject:
SecTrailCM Renewed Certificate
Step 7: Save and Activation
- Click the Create button to save the workflow
- The workflow automatically becomes
Active - The system automatically starts the renewal process 15 days before certificate expiration
Workflow Execution Sequence
The created workflow runs in the following sequence:
- Day 0-15: System checks certificate expiration
- Day 15 (Renewal Start):
- Renewal approval email is sent
- Waits for approval
- After Approval:
- Certificate renewal process begins (ACME/Let's Encrypt)
- New certificate is created
- Deployment Approval:
- Deployment approval email is sent
- Waits for approval
- At 01:00 (Deployment):
- Deployment to F5 load balancer
- Deployment to Apache server
- Retry for each deployment (if failed)
- Completion:
- If all operations succeed, notification email is sent
- New certificate is shared via email
- Error State:
- If an error occurs in any step, relevant error notification is sent
- Detailed log record is created in Workflow Logs
- Deployment Time: Set deployment time to low-traffic hours (1:00 AM-4:00 AM)
- Retry Limit: Increase retry limit for critical systems
- Notification: Add multiple administrator emails
- BCC: Use BCC for archiving in all email notifications
- Testing: Test with a test certificate during initial setup