Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

New to Certificate Manager? Start with Issue Your First Certificate.
Use the ACME enrollment method to request and renew certificates automatically using standard ACME clients. Infisical acts as an ACME server, compatible with tools like Certbot, cert-manager, and any RFC 8555-compliant client.
ACME enrollment is configured on profiles attached to your Application. Product Admins attach profiles, and Application Admins configure enrollment methods on those profiles.

When to Use ACME Enrollment

Web Servers

Nginx, Apache, Tomcat, and other web servers with Certbot.

Kubernetes

Use cert-manager to issue certificates for workloads.

Load Balancers

Automate certificate provisioning for HAProxy, Traefik, and others.

Automated Renewal

Let ACME clients handle renewal automatically before expiration.

Prerequisites

Install an ACME client on your server. The client handles domain validation challenges and certificate renewal.

Configure ACME Enrollment

1

Navigate to your Application

Go to Certificate Manager → Applications and select your Application.
2

Configure enrollment on an attached profile

Go to the Settings tab and find the Certificate Profiles section. Click Configure on the profile you want to enable ACME enrollment for.
Profiles are attached by Product Admins. If you don’t see any profiles, ask your Product Admin to attach one.
3

Add ACME enrollment

In the modal, click Add enrollment method and select ACME.
4

Configure domain validation

By default, Infisical verifies domain ownership using the HTTP-01 challenge.
OptionDescription
HTTP-01 ChallengeACME client proves domain ownership by serving a file at /.well-known/acme-challenge/
Skip ValidationDisable domain ownership validation (use for internal domains)
Only skip validation for internal domains where you trust all certificate requesters. For public-facing services, always use domain validation.
Skipping validation here is different from External ACME CA integrations. When using an external ACME CA (like Let’s Encrypt), Infisical must always complete DNS-01 challenges with the upstream CA.
5

Get ACME credentials

After saving, click Reveal ACME EAB to get the credentials your ACME client needs:
CredentialPurpose
ACME Directory URLThe server URL your ACME client connects to
EAB Key Identifier (KID)Identifies your ACME account
EAB SecretAuthenticates your ACME client
The ACME Directory URL is unique to this Application + Profile pair. Certificates requested through this URL are associated with this Application and follow the selected profile’s policy.

Issue a Certificate

Configure your ACME client with the credentials from the previous step.
Request a certificate using Certbot’s standalone mode:
sudo certbot certonly \
  --standalone \
  --server "<ACME Directory URL>" \
  --eab-kid "<EAB Key Identifier>" \
  --eab-hmac-key "<EAB Secret>" \
  -d api.example.com \
  --email admin@example.com \
  --agree-tos \
  --non-interactive
Certbot stores certificates in /etc/letsencrypt/live/api.example.com/:
  • fullchain.pem — Certificate + chain
  • privkey.pem — Private key
  • cert.pem — Certificate only
  • chain.pem — CA chain only
For web server integration, see the guides:

Automatic Renewal

ACME clients handle renewal automatically. Most clients (like Certbot) install a cron job or systemd timer that checks for expiring certificates and renews them. 
# Test renewal (dry run)
sudo certbot renew --dry-run

# Force renewal
sudo certbot renew --force-renewal
For Kubernetes, cert-manager monitors Certificate resources and renews them automatically before expiration.

What’s Next?

Nginx Guide

Set up HTTPS on Nginx with Certbot.

Kubernetes Guide

Issue certificates for Kubernetes workloads.

Certificate Syncs

Push certificates to cloud destinations.

Alerting

Get notified when certificates are about to expire.