Use the EST enrollment method to issue and renew certificates for enterprise devices, IoT systems, and secure networks. EST provides strong mutual TLS authentication and is ideal for environments where devices have pre-installed bootstrap certificates.Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
EST enrollment is configured on profiles attached to your Application. Product Admins attach profiles, and Application Admins configure enrollment methods on those profiles.
When to Use EST Enrollment
Enterprise Devices
Managed corporate laptops, workstations, and mobile devices.
IoT Devices
Industrial equipment, sensors, and embedded systems with factory certificates.
Network Infrastructure
Switches, routers, and other network equipment with 802.1X authentication.
Secure Environments
Environments requiring mutual TLS authentication for certificate requests.
| Endpoint | Purpose |
|---|---|
/cacerts | Get the CA chain for certificate validation |
/simpleenroll | Request a new certificate |
/simplereenroll | Renew an existing certificate |
Prerequisites
Bootstrap certificates
Your devices need a pre-installed bootstrap certificate (factory/manufacturer certificate) for initial authentication.
If your devices don’t have bootstrap certificates, you can disable bootstrap validation in the EST configuration (less secure).
Trust Infisical's EST server
Devices must trust the TLS certificates used by Infisical’s EST server.
For Infisical Cloud, configure devices to trust Amazon root CA certificates.
Configure EST Enrollment
Configure enrollment on an attached profile
Go to the Settings tab and find the Certificate Profiles section. Click Configure on the profile you want to enable EST enrollment for.
Profiles are attached by Product Admins. If you don’t see any profiles, ask your Product Admin to attach one.
Configure EST settings
| Setting | Description |
|---|---|
| EST Passphrase | Password for client authentication (used as EST password on devices) |
| CA Chain Certificate | Certificate chain to validate device bootstrap certificates |
| Disable Bootstrap Validation | Skip bootstrap certificate validation (for devices without factory certs) |
Get EST endpoints
After saving, Infisical provides EST endpoint URLs that you can view in the enrollment configuration. The endpoints follow the EST standard paths:
/cacerts— retrieve CA certificates/simpleenroll— initial enrollment/simplereenroll— certificate renewal
The EST endpoint URL is unique to this Application + Profile pair. Certificates requested through these endpoints are associated with this Application and follow the selected profile’s policy. EST endpoints use port 8443 and the
.well-known/est path as defined in RFC 7030.Enroll a Device
Configure your EST client with the profile ID and passphrase.- Initial Enrollment
- Certificate Renewal
- Get CA Chain
For new devices with a bootstrap certificate:
- Configure the EST server URL:
https://app.infisical.com:8443/.well-known/est/{profile-id} - Set EST username to any value (e.g.,
device-001) - Set EST password to your EST Passphrase
- Use the bootstrap/manufacturer certificate for client authentication
- Generate a CSR and call
/simpleenroll
When creating PKCS#12 bundles for client certificates, include only the leaf certificate and private key (not the full chain).
What’s Next?
SCEP Enrollment
Use SCEP for network devices and MDM systems.
Certificate Syncs
Push certificates to cloud destinations.
Alerting
Get notified when certificates are about to expire.
Managing Certificates
View and manage certificates in your Application.