Skip to main content

Concept

Infisical can issue Domain Validated (DV) TLS certificates directly from GoDaddy using the GoDaddy Certificates API.
Only the single-domain DV_SSL product is supported.

Prerequisites

  • A GoDaddy App Connection with validated production API credentials.
  • An available DV SSL product in your GoDaddy account. The API consumes a product you already own; it does not purchase one (see the FAQ).
  • A certificate policy that allows an RSA key with DNS-name SANs (see Set up the certificate policy). The built-in TLS Server preset works as long as you select RSA, since GoDaddy rejects ECDSA.

Set up the certificate policy

GoDaddy needs a server-certificate policy that uses RSA. The built-in TLS Server Certificate preset allows both ECDSA and RSA, so you can start from it and select RSA, or create a custom policy in Settings → Certificate Policies → Create Policy. Either way, configure:
  • Key algorithm: RSA 2048 (RSA 3072/4096 also work), not ECDSA (the preset selects ECDSA by default)
  • Signature algorithm: RSA-SHA256
  • SAN types: DNS Name
  • Extended Key Usage: Server Authentication
  • Max validity (TTL): ≤ 1 year (~398 days)
Then create a certificate profile that references your GoDaddy CA and this policy.

Create a GoDaddy Certificate Authority

1

Create a GoDaddy App Connection

Follow the GoDaddy App Connection guide to store your GoDaddy API key and secret in Infisical.
2

Create the External CA

In Certificate Manager, go to Settings → Certificate Authorities, click Create CA in the External Certificate Authorities section, choose GoDaddy as the type, and fill out the form:
  • App Connection: the GoDaddy connection you created
  • Product: DV SSL

GoDaddy Validation Workflow

When you request a certificate through a GoDaddy CA, the request moves through these states:
StateDescription
Pending ValidationGoDaddy has accepted the order and returned a certificate id. Complete domain control validation (DCV) on the GoDaddy side.
IssuedInfisical polls GoDaddy and downloads the certificate once validation completes. Use Trigger Validation to force an immediate check.
FailedIf GoDaddy does not issue within 24 hours. Complete validation and submit a new request.
Domain control validation is completed on GoDaddy’s side, typically with a DNS TXT record (GoDaddy also supports an HTML file). The DNS method is recommended and also covers the www host of the common name. Add the record GoDaddy specifies to your domain’s DNS zone; once GoDaddy verifies it, the certificate is issued and Infisical downloads it automatically.

FAQ

GoDaddy’s Certificates API consumes a certificate product you already own; it does not purchase one. Buy a DV SSL certificate from GoDaddy’s SSL storefront and leave it un-set-up; the next request will claim it. A pending order holds the product, so cancel an unwanted pending order on GoDaddy’s side to return the credit to available.
GoDaddy only accepts RSA CSRs. The built-in TLS Server Certificate policy preset allows both ECDSA and RSA but defaults to ECDSA, so make sure the policy selects an RSA key algorithm (e.g. RSA 2048 / RSA-SHA256) and request again.
The supported GoDaddy DV product covers the Common Name and its www. host (GoDaddy includes the www host when you validate via DNS). Other additional domains, and non-DNS SAN types (email, IP, URI), are rejected. For multiple unrelated domains use a multi-domain CA; for email/identity SANs use a private (S/MIME) CA.
Revoking in Infisical marks the certificate Revoked in the local inventory and submits a revocation request to GoDaddy, so the certificate is revoked on GoDaddy’s side too. Syncing is one-directional, though: a certificate revoked directly on GoDaddy is not reflected back into Infisical automatically.
Revoking is irreversible and burns the GoDaddy product. On revocation GoDaddy cancels the SSL credit and does not allow re-keying or reissuing, so that product cannot be reused for a new order, and a new request fails with “no available product” until you buy another. If you revoke within 30 days of purchase, contact GoDaddy support to ask about in-store credit. Only revoke when you are certain.
Renewing in Infisical calls GoDaddy’s native renew endpoint against the existing certificate rather than placing a brand-new order. GoDaddy only renews a certificate from 60 days before to 30 days after its expiry, and only then issues a replacement certificate. If you renew earlier than that window, GoDaddy keeps serving the current certificate, so the request stays in Pending Validation until GoDaddy issues the renewed certificate (or the request times out). Renewing extends validity, which on GoDaddy’s side may require an available product or a paid renewal, so make sure your account has one. As with a new order, GoDaddy may require domain control validation again before the renewed certificate is issued, after which Infisical downloads it automatically.
Cancelling a pending request in Infisical stops local tracking and marks it failed, but it does not cancel the order on GoDaddy. To free a held product credit, cancel the pending order on GoDaddy’s side.

What’s Next

Now that your GoDaddy CA is configured, set up the infrastructure to issue certificates:

Certificate Profiles

Create a profile that references your GoDaddy CA (with an RSA-capable policy).

Applications

Create an Application, attach a profile, and configure enrollment.

Enrollment Methods

Choose how certificates are requested: API, ACME, EST, or SCEP.

Quick Start

Issue your first certificate end-to-end.