This page is for product admins setting up PKI infrastructure. Teams issuing certificates should see Applications.
How It Works
- Create a Root CA — Or use an existing external root CA
- Create Intermediate CA(s) — Chain them to your root CA
- Create Certificate Profiles — Link CAs to policies for teams to use
- Create Applications — Assign profiles to Applications for teams
You can execute this workflow via the UI or API. For API workflows, you may need to create CSRs and import certificates manually.
Create a CA Hierarchy
Create a simple Private CA hierarchy with a root CA and intermediate CA.- Infisical UI
- API
Create a root CA
If you have an existing external root CA, skip to step 2.Go to Certificate Manager → Certificate Authorities → Internal and click Create CA.Set the CA Type to Root and fill out details for the root CA:
- Valid Until: The date until which the CA is valid in the date time string format specified here. For example, the following formats would be valid:
YYYY,YYYY-MM,YYYY-MM-DD,YYYY-MM-DDTHH:mm:ss.sssZ. - Path Length: The maximum number of intermediate CAs that can be chained to this CA. A path of
-1implies no limit; a path of0implies no intermediate CAs can be chained. - Key Algorithm: The type of public key algorithm and size, in bits, of the key pair that the CA creates when it issues a certificate. Supported key algorithms are
RSA 2048,RSA 4096,ECDSA P-256, andECDSA P-384with the default beingRSA 2048. - Key Source: Where the CA’s signing key is generated and stored. Infisical (the default) generates and manages the key for you. HSM generates the key inside your own Hardware Security Module through an HSM Connector, and every signing operation the CA performs runs on the HSM. See HSM-backed Internal CAs below.
- HSM Connector: The HSM Connector Infisical uses to reach your HSM. Shown only when Key Source is HSM. With an HSM key source the algorithm choices stay limited to
RSA 2048,RSA 4096,ECDSA P-256, andECDSA P-384. - Name: A slug-friendly name for the CA.
- Organization (O): The organization name.
- Country (C): The country code.
- State or Province Name: The state or province.
- Locality Name: The city or locality.
- Common Name: The name of the CA.
The Organization, Country, State or Province Name, Locality Name, and Common Name make up the Distinguished Name (DN) or subject of the CA.
At least one of these fields must be filled out.
Creating an intermediate CA
To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.Next, press the Install CA Certificate option on the intermediate CA. You will be presented with the installation method selector. Choose how the signing certificate should be issued:
- Infisical CA
- Manual
- External CA
Select Infisical CA and press Continue. This option chains the intermediate CA to a root or intermediate CA managed by Infisical.Set the Parent CA to the root CA created in step 1 and configure:
- Parent CA: The parent CA to chain to (the root CA from step 1).
- Valid Until: Must be within the validity period of the parent CA.
- Path Length: Must be less than the parent CA’s path length.
HSM-backed Internal CAs
By default, Infisical generates and manages the signing key for an Internal CA. You can instead keep the CA’s signing key inside your own Hardware Security Module. When Key Source is set to HSM, Infisical generates the keypair on the HSM through an HSM Connector and performs every signing operation the CA does on the HSM. That covers the self-signed root certificate, intermediate CSRs, the certificates the CA issues, and its CRLs. Both root and intermediate CAs can be HSM-backed. HSM-backed CAs support theRSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384 key algorithms.
Set up an HSM Connector before creating an HSM-backed CA. Creating one requires the Attach permission on HSM Connectors in addition to permission to create Certificate Authorities.
keySource to hsm and supply the hsmConnectorId in the request.
Request
FAQ
What key algorithms are supported?
What key algorithms are supported?
Infisical supports
RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384 key algorithms specified at the time of creating a CA.Does Infisical support chaining an Intermediate CA to an external CA?
Does Infisical support chaining an Intermediate CA to an external CA?
Yes. You can either manually obtain a CSR and import the signed certificate, or use an integrated external CA provider like Venafi TLS Protect Cloud or Microsoft ADCS to automate the signing process.
Can the CA signing key be kept in my own HSM?
Can the CA signing key be kept in my own HSM?
Yes. Set Key Source to HSM when creating the CA and pick an HSM Connector. The keypair is generated on your HSM and every signing operation the CA performs runs there. Both root and intermediate CAs support this. Supported algorithms are
RSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384. See HSM-backed Internal CAs.What’s Next?
CA Renewal
Renew your CA certificates before they expire.
CRL Distribution Points
Configure CRL mirrors for high availability.
Certificate Profiles
Link your CA to a policy and create reusable profiles.
Applications
Set up Applications to issue certificates.
HSM Connectors
Keep the CA signing key inside your own Hardware Security Module.