Skip to main content
Deploy certificates from Infisical to a directory on a Linux server over SSH. Files are written atomically over SFTP so a reader never sees a partially written certificate or key.
Certificate Syncs are configured per Application. First select which certificates to sync, then configure the Linux Server destination.

Prerequisites

  • An SSH Connection with access to the target server
  • The destination directory must already exist on the server and the connection user must be able to write to it
  • The server must be reachable from Infisical, either directly or through an Infisical Gateway

Create a Linux Server Sync

  1. In your Application, go to the Certificate Syncs tab and click Create Sync.
  2. Select the Linux Server option.
  3. Configure the Destination:
    • SSH Connection: The SSH Connection used to reach the server.
    • Destination Directory: The absolute path to the directory where certificate files are written, for example /etc/ssl/certs.
  4. Configure the Sync Options:
    • Export Format: Choose PEM to write separate certificate, chain, and key files, or PKCS#12 to write a single password-protected .pfx bundle.
    • Certificate File Extension: For PEM, choose .pem (default) or .crt for the certificate and chain files. Both hold the same PEM-encoded content, so pick the one the consuming service expects.
    • Combine Certificate and Chain: For PEM, write the leaf certificate followed by the chain in a single file (a full-chain file, as nginx expects) and skip the separate chain file.
    • File Permissions and Private Key Permissions: Octal modes for the delivered certificate and chain files (default 644) and for the private key file (default 600).
    • Owner and Group: Optionally set the owner and group on the delivered files. Changing ownership requires the connection user to be root or to have passwordless sudo.
    • PKCS#12 Password: Required when the export format is PKCS#12. It protects the delivered bundle.
    • Include Private Key: For PEM, controls whether the private key is written alongside the certificate. The sync fails for a certificate whose key is not available, for example one issued from an external CSR.
    • Include Root CA in Certificate Chain: Include the root CA in the delivered chain. Leave it off when the consuming service only needs the intermediates.
    • Enable Removal of Certificates: Delete the delivered files from the server when a certificate is removed from the sync, revoked, or expired.
    • Certificate Name Schema: The base file name, using placeholders such as {{commonName}}, {{certificateId}}, or {{shortCertificateId}}. The export format adds the extension. A schema with no placeholder can be linked to only one certificate.
    • Auto-Sync Enabled: Automatically sync certificates when changes occur.
  5. Configure the Details:
    • Name: The name of your sync.
    • Description: Optional description.
  6. Select which certificates should be synced.
  7. Review and click Create Sync.

Export Formats

The file extension is set by the export format, not by the name schema. The name schema only provides the base file name. PEM writes the certificate, chain, and private key (when included) as separate files. The certificate and chain files use the extension you select, either .pem (default) or .crt. PKCS#12 writes a single password-protected .pfx bundle that contains the certificate, chain, and private key. For a certificate whose common name is app.example.com, synced to /etc/ssl/certs with the default {{commonName}} name schema, the delivered files are:

How It Works

When syncing certificates, Infisical opens an SSH session to the server and, for each certificate, packages it in the chosen export format and writes the resulting files to the destination directory. Files are written atomically over SFTP so a reader never sees a partially written certificate or key.

Removing Certificates

When certificate removal is enabled and a certificate is removed from the sync, revoked, or expired, Infisical deletes exactly the files it delivered for that certificate.

FAQ

No. The Linux Server sync only delivers certificates to the server. It does not read certificates back into Infisical.
The sync fails with a clear error. Create the directory and grant the connection user write access, then run the sync again.

What’s Next?

Windows Server

Deploy certificates to Windows servers over WinRM.

Auto-Renewal

Enable automatic certificate renewal and syncing.

Other Sync Destinations

View all supported sync destinations.