Applications are where teams issue and manage certificates. Within an Application, you can:Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
- Issue certificates via API, ACME, EST, or SCEP
- Automate renewal so certificates never expire unexpectedly
- Configure alerting for expiration, issuance, and lifecycle events
- Sync certificates to AWS ACM, Azure Key Vault, Cloudflare, and other destinations
- Require approvals before high-value certificates are issued
What’s in an Application?
Members
Team members with Admin, Operator, or Auditor roles.
Enrollment Methods
How certificates are requested — API, ACME, EST, or SCEP.
Certificate Inventory
All certificates issued for this Application.
Alerting
Notifications for expiration, issuance, renewal, and revocation.
Approval Policies
Optional review workflows before certificates are issued.
Certificate Syncs
Push certificates to AWS, Azure, Cloudflare, and more.
Application Roles
Members are assigned to Applications with one of three roles:| Role | Capabilities |
|---|---|
| Admin | Full control — manage enrollment methods, members, alerting, syncs, and approval policies |
| Operator | Issue and manage certificates within the Application |
| Auditor | Read-only — view certificates and Application configuration |
Application roles are simple and direct — just add members and pick a role. Custom roles will be available in a future release.
Create an Application
Product Admins create Applications and assign team members to them. If you’re a team member waiting for access, ask your product admin to create an Application and add you.
Configure basic settings
- Name: A descriptive slug like
payments-apiordevice-fleet - Description: Optional context about this service
Attach a Certificate Profile
Select a certificate profile that defines what certificates will look like — the issuing CA, validity period, allowed domains, and constraints.
Configure enrollment
Choose how your service will request certificates:
See Enrollment Methods for detailed configuration.
| Method | Best for |
|---|---|
| API | UI issuance, Infisical Agent, custom integrations |
| ACME | Certbot, cert-manager, standard tooling |
| EST | Enterprise device enrollment |
| SCEP | Network devices, MDM systems |
FAQ
What's the difference between an Application and a Certificate Profile?
What's the difference between an Application and a Certificate Profile?
A Certificate Profile defines what certificates look like — the CA, policy, and constraints. It’s a reusable template created by product admins.An Application is where a team consumes that profile. One profile can be used by many Applications, each with their own members, enrollment methods, and alerting.
Can one service use multiple Certificate Profiles?
Can one service use multiple Certificate Profiles?
Yes. An Application can have multiple profiles attached, allowing you to issue different types of certificates (e.g., short-lived mTLS certs and longer-lived TLS certs) from the same Application.
How do I give another team access to my Application?
How do I give another team access to my Application?
Go to your Application’s Members tab and invite them with the appropriate role. They’ll only have access to this specific Application, not other Applications in your organization.
What’s Next?
Enrollment Methods
Configure how your service requests certificates.
Certificate Syncs
Push certificates to AWS ACM, Azure Key Vault, and other destinations.
Alerting
Get notified when certificates expire or lifecycle events occur.
Approval Policies
Add human review before certificates are issued.