Certificate Syncs are configured per Application. First select which certificates to sync, then configure the Windows Server destination.
Prerequisites
- A Windows (WinRM) Connection with access to the target server
- An Infisical Gateway that can reach the server. Windows delivery always runs through the Gateway.
- The connection user must be able to write to the destination directory
Windows delivery runs on the Gateway, which reaches the host inside your network and runs the WinRM session on Infisical’s behalf. By default it uses HTTP with NTLM message encryption, which lets a certificate travel confidentially over the default WinRM listener without a server certificate. This is the same zero-configuration posture most Windows hosts already ship with. HTTPS is also supported.
Create a Windows Server Sync
- Infisical UI
- API
- In your Application, go to the Certificate Syncs tab and click Create Sync.
- Select the Windows Server option.
-
Configure the Destination:
- Windows (WinRM) Connection: The WinRM Connection used to reach the server.
- Destination Directory: The absolute Windows drive path where certificate files are written, for example
C:\certs. It is created if it does not exist. The path cannot contain..segments or consecutive separators.
-
Configure the Sync Options:
- Export Format: Choose PKCS#12 to write a single password-protected
.pfxbundle, or PEM to write separate certificate, chain, and key files. - Certificate File Extension: For PEM, choose
.pem(default) or.crtfor the certificate and chain files. Both hold the same PEM-encoded content, so pick the one the consuming service expects. - Combine Certificate and Chain: For PEM, write the leaf certificate followed by the chain in a single file (a full-chain file) and skip the separate chain file.
- File Permissions: Optionally grant Windows users or groups (for example a service account) Read, Modify, or Full Control on the delivered files, so you can restrict who reads the private key. Rules are added on top of the destination folder’s inherited permissions.
- PKCS#12 Password: Required when the export format is PKCS#12. It protects the delivered bundle.
- Include Private Key: For PEM, controls whether the private key is written alongside the certificate. The sync fails for a certificate whose key is not available, for example one issued from an external CSR.
- Include Root CA in Certificate Chain: Include the root CA in the delivered chain. Leave it off when the consuming service only needs the intermediates.
- Enable Removal of Certificates: Delete the delivered files from the server when a certificate is removed from the sync, revoked, or expired.
- Certificate Name Schema: The base file name, using placeholders such as
{{commonName}},{{certificateId}}, or{{shortCertificateId}}. The export format adds the extension. A schema with no placeholder can be linked to only one certificate. - Auto-Sync Enabled: Automatically sync certificates when changes occur.
- Export Format: Choose PKCS#12 to write a single password-protected
-
Configure the Details:
- Name: The name of your sync.
- Description: Optional description.
- Select which certificates should be synced.
- Review and click Create Sync.
Export Formats
The file extension is set by the export format, not by the name schema. The name schema only provides the base file name. PKCS#12 writes a single password-protected.pfx bundle that contains the certificate, chain, and private key.
PEM writes the certificate, chain, and private key (when included) as separate files. The certificate and chain files use the extension you select, either .pem (default) or .crt.
For a certificate whose common name is app.example.com, synced to C:\certs with the default {{commonName}} name schema, the delivered files are:
How It Works
When syncing certificates, Infisical asks the Gateway to open a WinRM session to the server and, for each certificate, packages it in the chosen export format and writes the resulting files to the destination directory. Files are written atomically so a reader never sees a partially written certificate or key.Removing Certificates
When certificate removal is enabled and a certificate is removed from the sync, revoked, or expired, Infisical deletes exactly the files it delivered for that certificate.Security
Delivery runs over the Gateway inside your network, so traffic never crosses the public internet, and the certificate stays encrypted in transit in both connection modes:- HTTP mode (default) encrypts the certificate on the wire with NTLM message sealing and needs no server certificate to manage. This is the zero-configuration posture most Windows hosts already ship with.
- HTTPS mode adds TLS, so the Gateway also verifies the host’s identity and encrypts the full session. Keep certificate verification enabled so it only connects to a host presenting a valid, trusted certificate.
Using Synced Certificates with IIS Centralized Certificate Store
IIS can serve a synced PKCS#12 certificate directly from a local folder through the Centralized Certificate Store (CCS). To wire this up, set the sync to deliver into the CCS folder and make the two sides agree:- Export format: PKCS#12. CCS reads
.pfxfiles only. - Destination Directory: the folder IIS CCS is configured to read.
- Certificate Name Schema: use
{{commonName}}so each file is named<hostname>.pfx. CCS matches the incoming request hostname to the file name. - PKCS#12 Password: must match the private key password configured on the IIS Centralized Certificate Store. IIS uses that one password to open every
.pfxin the folder.
.pfx. IIS is responsible for loading and serving it.
FAQ
Can I import certificates from a Windows server back into Infisical?
Can I import certificates from a Windows server back into Infisical?
No. The Windows Server sync only delivers certificates to the server. It does not read certificates back into Infisical.
What’s Next?
Linux Server
Deploy certificates to Linux servers over SSH.
Auto-Renewal
Enable automatic certificate renewal and syncing.
Other Sync Destinations
View all supported sync destinations.