Enrollment methods define how certificates are requested from your Application. Each method supports different use cases — from UI-based issuance and the Infisical Agent to standard protocols like ACME that work with existing tooling.Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Choose an Enrollment Method
API
Best for: Manual UI issuance, Infisical Agent, custom integrationsIssue certificates through the Infisical UI, Agent, or direct API calls. Supports server-driven auto-renewal.
ACME
Best for: Web servers, Kubernetes, standard toolingWorks with Certbot, cert-manager, and any ACME-compatible client.
EST
Best for: Enterprise device enrollment, IoTRFC 7030 compliant protocol for secure certificate enrollment and re-enrollment.
SCEP
Best for: MDM systems, network devicesLegacy protocol supported by Jamf, Intune, and network equipment.
Comparison
| Method | Protocol | Auto-Renewal | Domain Validation | Best For |
|---|---|---|---|---|
| API | REST/HTTP | Server-driven or client-driven | None | UI issuance, Agent, integrations |
| ACME | RFC 8555 | Client-driven | HTTP-01 | Web servers, Kubernetes |
| EST | RFC 7030 | Re-enrollment | Certificate-based | Enterprise devices |
| SCEP | Draft RFC | Re-enrollment | Challenge password | MDM, network devices |
How Enrollment Works
Product Admin attaches a profile
A Product Admin attaches a Certificate Profile to the Application. The profile defines certificate parameters (CA, validity, constraints).
Configure enrollment methods on the profile
In your Application’s Settings tab, click Configure on an attached profile and add enrollment methods (API, ACME, EST, or SCEP).
Point your client to the endpoint
Configure your service, device, or tooling to use the enrollment endpoint provided by Infisical.
Each enrollment method is tied to a specific profile attached to the Application — meaning the enrollment URL (e.g., ACME directory) is unique to that Application + Profile pair.
After Enrollment
Once certificates are issued, you can:- View and manage certificates in your Application’s certificate inventory
- Sync certificates to external destinations like AWS ACM, Azure Key Vault, or Cloudflare
- Set up alerting to get notified before certificates expire
- Configure approval policies to require human review before issuance