Choose an Enrollment Method
API
Best for: Manual UI issuance, Infisical Agent, custom integrationsIssue certificates through the Infisical UI, Agent, or direct API calls. Supports server-driven auto-renewal.
ACME
Best for: Web servers, Kubernetes, standard toolingWorks with Certbot, cert-manager, and any ACME-compatible client.
EST
Best for: Enterprise device enrollment, IoTRFC 7030 compliant protocol for secure certificate enrollment and re-enrollment.
SCEP
Best for: MDM systems, network devicesLegacy protocol supported by Jamf, Intune, and network equipment.
Comparison
How Enrollment Works
1
Product Admin attaches a profile
A Product Admin attaches a Certificate Profile to the Application. The profile defines certificate parameters (CA, validity, constraints).
2
Configure enrollment methods on the profile
In your Application’s Settings tab, click Configure on an attached profile and add enrollment methods (API, ACME, EST, or SCEP).
3
Point your client to the endpoint
Configure your service, device, or tooling to use the enrollment endpoint provided by Infisical.
4
Request a certificate
Your client requests a certificate. Infisical validates the request against the profile’s policy and issues the certificate.
Each enrollment method is tied to a specific profile attached to the Application — meaning the enrollment URL (e.g., ACME directory) is unique to that Application + Profile pair.
After Enrollment
Once certificates are issued, you can:- View and manage certificates in your Application’s certificate inventory
- Sync certificates to external destinations like AWS ACM, Azure Key Vault, or Cloudflare
- Set up alerting to get notified before certificates expire
- Configure approval policies to require human review before issuance