📜 Certificate Management System Flow

1. Certificate Request Flow

User submits certificate request through ServiceNow portal, which triggers the backend API to process the request.

flowchart LR A[User in ServiceNow Portal] --> B[Fill Request Form:
CN, SAN, TTL, Business Unit] B --> C[ServiceNow Workflow
Triggered] C --> D[POST /api/cert-request
Authorization: Bearer token
JSON payload] D --> E[FastAPI Backend
Request Handler] E --> F{Validate Input} F -->|Valid| G[Store in DB
status: pending
request_id generated] F -->|Invalid| H[Return 400 Error
Validation details] G --> I[Call vault.generate_certificate
Pass CN, SAN, TTL, key_type]

Key API Details:

  • Endpoint: POST /api/cert-request
  • Headers: Authorization: Bearer {servicenow_token}
  • Payload: common_name, alt_names[], ttl, business_unit
  • Response: request_id, status

2. Certificate Issuance Process

Backend coordinates with Vault and AWS PCA to generate and sign the certificate.

flowchart TD A[Backend vault.py] --> B[Authenticate to Vault
POST /v1/auth/approle/login
role_id + secret_id] B --> C[Receive X-Vault-Token] C --> D[Call Vault PKI
POST /v1/pki/intermediate/generate/internal
Headers: X-Vault-Token] D --> E[Vault generates keypair
RSA 2048-bit
Creates CSR] E --> F[Return CSR PEM
+ csr_id] F --> G[Backend calls AWS PCA
boto3: issue_certificate] G --> H[AWS PCA Parameters:
CertificateAuthorityArn
Csr PEM bytes
Validity Days
TemplateArn] H --> I[AWS PCA validates
and signs certificate] I --> J[Poll for certificate
get_certificate API] J --> K[Receive Certificate +
Certificate Chain]

Technical Details:

  • Vault Auth: AppRole method (role_id, secret_id)
  • CSR Format: PEM-encoded, SHA256withRSA
  • AWS PCA API: boto3 client methods
  • Certificate Chain: End-entity + Intermediate + Root CA

3. Certificate Storage & Access

Certificate is stored in Vault and made available to applications through the backend API.

flowchart TD A[Backend receives
signed certificate] --> B[Parse certificate:
Extract serial, expiry
Verify validity] B --> C[Store in Vault
POST /v1/secret/data/certs/app/id] C --> D[Vault Payload:
certificate PEM
private_key encrypted
ca_chain PEM
serial_number
expiration ISO8601] D --> E[Vault returns
version number] E --> F[Update DB:
status: issued
certificate_id
vault_path
expiration] F --> G[Return to ServiceNow:
JSON: cert_id, serial,
expiry, download_url] G --> H[Application requests cert
GET /api/cert/id/download
Auth: API Key or mTLS] H --> I[Backend validates auth] I --> J[Fetch from Vault
GET /v1/secret/data/certs/...] J --> K[Return ZIP or JSON:
server.crt, server.key
ca-chain.crt]

Storage Details:

  • Vault Path: secret/data/certs/{app-name}/{cert-id}
  • Secret Engine: KV v2 (versioned)
  • Access Methods: API Key, Service Account Token, mTLS
  • File Permissions: 600 (read/write owner only)

4. Automatic Certificate Renewal

Backend scheduler monitors certificate expiration and triggers automatic renewal 30 days before expiry.

flowchart TD A[Backend Cron Job
Daily at 2 AM] --> B[Query DB:
expiration < NOW + 30 days] B --> C{Expiring
certs found?} C -->|Yes| D[For each certificate:
call renewal function] C -->|No| E[Log: No renewals needed] D --> F[Call Vault API
POST /v1/pki/issue/role
Same CN and SAN] F --> G[Vault generates
new keypair + CSR] G --> H[Submit to AWS PCA
Same issuance flow] H --> I[Store new cert in Vault
New version, same path] I --> J[Update DB:
new expiration date
Keep old cert 30 days] J --> K[Send notification:
POST /api/notify/cert-renewed
Email + Webhook] K --> L[Application polls:
GET /api/cert/check-updates] L --> M[Download new cert
Hot reload or restart] M --> N[Log renewal event
Audit trail]

Renewal Configuration:

  • Schedule: Daily cron job at 2:00 AM
  • Renewal Window: 30 days before expiration
  • Notification Methods: Email, Webhook, Slack
  • Rollback: Old cert retained for 30 days

5. Certificate Revocation

Certificate can be revoked through ServiceNow or admin interface for security incidents or decommissioning.

flowchart TD A[Revocation Trigger:
Security incident
App decommission
User request] --> B[ServiceNow or Admin calls:
POST /api/cert/id/revoke
Body: reason_code] B --> C[Backend validates:
Check permissions
Verify cert exists] C --> D{Valid
request?} D -->|Yes| E[Call Vault:
POST /v1/pki/revoke
Body: serial_number] D -->|No| F[Return 403 Forbidden] E --> G[Call AWS PCA:
revoke_certificate API
CertificateArn + Reason] G --> H[AWS PCA updates:
CRL Certificate Revocation List
OCSP responder] H --> I[Update DB:
status: revoked
revocation_timestamp
reason] I --> J[Notify application:
POST to app webhook
cert_id, revocation_time] J --> K[App stops using cert
Requests new certificate] K --> L[Write audit log:
timestamp, requester,
reason, actions taken]

Revocation Details:

  • Reasons: keyCompromise, cessationOfOperation, privilegeWithdrawn
  • CRL Update: Immediate propagation
  • OCSP: Real-time revocation status
  • Audit: Full trail with requester identity

6. Dashboard & Monitoring

React dashboard provides real-time visibility into certificate inventory, expiration, and system health.

flowchart LR A[React Dashboard] --> B[GET /api/dashboard/stats
Auth: Session token] B --> C[Backend queries DB:
Total certificates
Expiring count
Recent requests
Failed requests] C --> D[Calculate metrics:
Success rate
Average issuance time
Health status] D --> E[Return JSON response:
Metrics + Charts data] E --> F[Dashboard displays:
Certificate table
Expiration timeline
Activity log
Status indicators] F --> G[Auto-refresh 30s
WebSocket for real-time] G --> H{Alert
conditions?} H -->|Yes| I[Send notifications:
Email, Slack
PagerDuty for critical] H -->|No| J[Continue monitoring]

Dashboard Features:

  • Metrics: Total, Active, Expiring, Revoked certificates
  • Charts: Expiration timeline, Request trends, Success rate
  • Real-time: WebSocket updates every 30 seconds
  • Alerts: Email, Slack, PagerDuty integration