Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

The certificate inventory shows all certificates issued within your Application. From here you can inspect details, trigger renewals, revoke certificates, and export in various formats.
To issue certificates, you’ll need an enrollment method configured for your Application.
Application Certificates

Certificate Details

Click any certificate to view its details:
SectionWhat’s Included
OverviewCommon name, status, serial number, validity period
SubjectDN components, Organization, OU, Country, SANs
ExtensionsBasic constraints, Key Usage, Extended Key Usage
CryptographicKey algorithm, signature algorithm, fingerprints
MetadataCustom key-value pairs for organization and tracking
Metadata is preserved across renewals and can be used to filter the certificate list.

Actions

From the certificate details page, use the Options menu:
ActionDescription
ExportDownload as PEM (individual files) or PKCS12 (single encrypted bundle)
Enable Auto-RenewalInfisical renews automatically before expiration
Renew NowManually trigger renewal
Manage SyncsPush to cloud destinations (ACM, Key Vault, etc.)
RevokeRevoke with a reason code; certificate appears in CRL
DeleteRemove from inventory

Issuing Certificates

Go to the Certificate Requests tab and click Request Certificate. Select a certificate profile and choose a request method:
MethodDescription
ManagedInfisical generates and stores the private key
CSRYou provide your own Certificate Signing Request
For automated issuance, configure an enrollment method:
  • API — Direct API calls or Infisical Agent
  • ACME — Certbot, cert-manager, and ACME clients
  • EST — RFC 7030 enrollment
  • SCEP — Mobile device management (Jamf, Intune)

Renewal

TypeHow It Works
Client-drivenThe client (Certbot, cert-manager, Infisical Agent) monitors expiration and requests renewal
Server-drivenInfisical automatically renews before expiration and pushes to syncs
Server-driven renewal requires API enrollment with Infisical-managed keys. Enable it on the enrollment method or toggle it per-certificate.

Export Formats

FormatUse Case
PEMNginx, Apache, Docker, load balancers — separate files for cert, chain, and key
PKCS12Java apps, Windows IIS, mobile apps — single encrypted file with password

Revocation

Revoke a certificate when it’s compromised or no longer needed. Specify a reason code (key compromise, superseded, etc.). Revoked certificates are added to the issuing CA’s CRL. Verify revocation status: 
openssl verify -crl_check -CAfile chain.pem -CRLfile crl.pem cert.pem

What’s Next?

Certificate Syncs

Push certificates to AWS ACM, Azure Key Vault, and other destinations.

Alerting

Get notified before certificates expire.

Approvals

Require human review before issuance.

Enrollment Methods

Configure how certificates are requested.