Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

A Certificate Authority (CA) is the entity that signs and issues X.509 certificates. Before teams can issue certificates through Applications, product admins need to configure at least one CA. Certificate Manager supports two types of CAs:

Private CA

Managed by InfisicalCreate root and intermediate CAs directly in Infisical. Ideal for internal services, mTLS, and private networks where public trust isn’t required.

External CA

Integrated with InfisicalConnect to public CAs (Let’s Encrypt, DigiCert) or enterprise PKI (AWS PCA, Azure ADCS, Venafi). Use existing infrastructure or issue publicly trusted certificates.

Which Should I Use?

Use CaseRecommended CA
Internal services, mTLS between microservicesPrivate CA
Public-facing websites needing browser trustExternal CA (Let’s Encrypt, DigiCert)
Enterprise with existing PKI infrastructureExternal CA (AWS PCA, Azure ADCS, Venafi)
IoT devices, internal device fleetPrivate CA
Regulated environments with specific CA requirementsExternal CA (your approved provider)

Private CA Hierarchy

When using Private CAs, you typically create a hierarchy: 
Root CA (offline, long-lived)
└── Intermediate CA (online, issues certificates)
    └── Leaf Certificates (TLS, mTLS, devices)
Best practice: Keep your Root CA offline or with minimal usage. Create one or more Intermediate CAs to issue day-to-day certificates. This limits exposure if an Intermediate CA is compromised.

External CA Integrations

Infisical integrates with major public and private CA providers:

Let's Encrypt

Free, automated, publicly trusted certificates.

DigiCert

Enterprise-grade public and private certificates.

AWS PCA

Private CA managed in AWS.

Azure ADCS

Active Directory Certificate Services.

Venafi

Enterprise certificate lifecycle management.

ACME CAs

Any ACME-compatible CA.
View all External CA integrations →

Next Steps

1

Create or connect a CA

Set up a Private CA or connect an External CA.
2

Create a Certificate Policy

Define the rules for certificates — allowed domains, validity periods, key algorithms.Certificate Policies →
3

Create a Certificate Profile

Combine your CA with a policy to create a reusable profile that teams can consume.Certificate Profiles →