Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

New to Certificate Manager? Start with Issue Your First Certificate.
API enrollment is the default method for issuing certificates through the Infisical UI, the Infisical Agent, or direct API calls. It’s the most flexible option — use it for manual one-off requests, automated pipelines, or server-driven auto-renewal where Infisical manages the certificate lifecycle.
API enrollment is configured on profiles attached to your Application. Product Admins attach profiles, and Application Admins configure enrollment methods on those profiles.

When to Use API Enrollment

Custom Integrations

Build certificate issuance into your own tooling and automation.

CI/CD Pipelines

Issue certificates as part of deployment workflows.

Server-Driven Renewal

Let Infisical automatically renew certificates before expiration.

One-Off Requests

Issue certificates manually through the UI when needed.

Configure API Enrollment

1

Navigate to your Application

Go to Certificate Manager → Applications and select your Application.
2

Configure enrollment on an attached profile

Go to the Settings tab and find the Certificate Profiles section. Click Configure on the profile you want to enable API enrollment for.
Profiles are attached by Product Admins. If you don’t see any profiles, ask your Product Admin to attach one.
3

Add API enrollment

In the modal, click Add enrollment method and select API.
4

Configure auto-renewal (optional)

Enable Auto-Renewal By Default to have Infisical automatically renew certificates before expiration.
SettingDescription
Auto-RenewalWhen enabled, eligible certificates are renewed server-side
Renew Before DaysHow many days before expiration to trigger renewal
Auto-renewal only works for certificates with server-managed private keys. Certificates issued via CSR are not eligible.

Issue a Certificate

Once API enrollment is configured, you can issue certificates through the UI or API.
Certificates issued through API enrollment are tied to the Application + Profile pair. The profile determines certificate parameters (CA, policy, defaults), while the Application scopes the certificate to your service.
1

Open certificate requests

In your Application, go to the Certificate Requests tab and click Request.
2

Select profile and request method

Choose your certificate profile and request method:
MethodDescription
ManagedInfisical generates and manages the private key
CSRYou provide your own Certificate Signing Request
3

Fill in certificate details

For Managed requests:
  • Common Name and SANs
  • Key algorithm and signature algorithm
  • Validity period (TTL)
  • Optional metadata tags
For CSR requests:
  • Paste your PEM-encoded CSR
  • Specify validity period (TTL)
When using CSR, subject attributes and key algorithm are extracted from your CSR.
4

Download the certificate

After issuance, download the certificate body, chain, and private key (if managed).
The private key is only shown once. Store it securely immediately after issuance.

Server-Driven Auto-Renewal

When auto-renewal is enabled, Infisical automatically renews certificates before they expire:
  1. Infisical monitors certificate expiration dates
  2. When a certificate is within the “Renew Before Days” threshold, Infisical issues a new certificate
  3. The new certificate is pushed to any configured certificate syncs
Auto-renewal only works for certificates with server-managed keys. Certificates issued via CSR must be renewed by the client.

What’s Next?

ACME Enrollment

Use Certbot, cert-manager, or other ACME clients.

Certificate Syncs

Push certificates to AWS ACM, Azure Key Vault, and more.

Managing Certificates

View, renew, and revoke certificates in your Application.

Alerting

Get notified when certificates are about to expire.