Push certificates from your Application to external services automatically. When paired with auto-renewal, renewed certificates are synced to their destinations — keeping your infrastructure current without manual intervention.Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Certificate Syncs are configured per Application. Select which certificates to sync, then configure the destination.
How It Works
- Select certificates to sync from your Application
- Configure a destination using an App Connection
- Certificates are pushed to the destination automatically
- Renewals sync automatically when using server-side auto-renewal
Only certificates managed by Infisical are affected during sync operations. Certificates created directly in the destination service remain untouched.
Supported Destinations
AWS Certificate Manager
Import certificates into ACM for use with AWS services.
AWS Elastic Load Balancer
Deploy certificates directly to ALB/NLB listeners.
AWS Secrets Manager
Store certificates as secrets for application retrieval.
Azure Key Vault
Import certificates into Azure Key Vault.
Cloudflare
Deploy custom SSL certificates to Cloudflare zones.
Chef Infra
Distribute certificates via Chef data bags.
NetScaler
Deploy certificates to Citrix NetScaler ADC.
Need a destination that isn’t listed? Contact support@infisical.com to request it.
Creating a Certificate Sync
Create an App Connection
If you haven’t already, create an App Connection for your destination service. This provides the credentials needed to push certificates.
Configure the sync
In your Application, go to the Certificate Syncs tab and click Create Sync.Configure:
- Destination: Select the App Connection and target endpoint
- Certificates: Choose which certificates to sync
- Options: Configure sync behavior (see below)
Sync Options
| Option | Description |
|---|---|
| Remove on expiry | Automatically remove expired certificates from the destination |
| Include Root CA | Include the root CA certificate in the chain |
| Certificate naming | Customize how certificates are named in the destination (default: Infisical-{certificateId}) |
Some destinations don’t support automatic removal of expired certificates. Certificates managed by Infisical may be overwritten if modified directly in the destination.
What’s Next?
AWS Certificate Manager
Import certificates into ACM for AWS services.
Azure Key Vault
Store certificates in Azure Key Vault.
Alerting
Get notified about certificate lifecycle events.
Managing Certificates
View and manage certificates in your Application.