Skip to main content
The External Secrets Inc. Audit & Compliance product suite is a premium product. It requires a specific subscription. Contact us for more information.

Certificate Authority Verification

This policy example will check if a certificate is issued by a trusted Certificate Authority. The policy will be non-compliant if the certificate is not issued by a trusted Certificate Authority.

Policy Execution Time

This policy example should be executed on Update events.

Default Deny, Allow Case-by-Case Policy Code

package main
import rego.v1

default allow := false
ca := "base64-encoded-ca"
allow if {
    ca_list := x509cert.issuers(input.Data["ca-crt"])
    x509cert.is_issued_by_trusted_ca(ca, ca_list)
}
# If input.Data['ca-crt'] does not exist, the policy should also be compliant
allow if {
  not input.Data["ca-crt"]
}
This policy verifies that a given certificate is only issued by a trusted Certificate Authority.