Skip to main content
Build your Internal PKI through a Private Certificate Authority (CA) hierarchy. This allows you to issue and manage X.509 certificates for internal services without relying on external CAs.
This page is for product admins setting up PKI infrastructure. Teams issuing certificates should see Applications.

How It Works

  1. Create a Root CA — Or use an existing external root CA
  2. Create Intermediate CA(s) — Chain them to your root CA
  3. Create Certificate Profiles — Link CAs to policies for teams to use
  4. Create Applications — Assign profiles to Applications for teams
You can execute this workflow via the UI or API. For API workflows, you may need to create CSRs and import certificates manually.

Create a CA Hierarchy

Create a simple Private CA hierarchy with a root CA and intermediate CA.
1

Create a root CA

If you have an existing external root CA, skip to step 2.Go to Certificate Manager → Certificate Authorities → Internal and click Create CA.Set the CA Type to Root and fill out details for the root CA:
  • Valid Until: The date until which the CA is valid in the date time string format specified here. For example, the following formats would be valid: YYYY, YYYY-MM, YYYY-MM-DD, YYYY-MM-DDTHH:mm:ss.sssZ.
  • Path Length: The maximum number of intermediate CAs that can be chained to this CA. A path of -1 implies no limit; a path of 0 implies no intermediate CAs can be chained.
  • Key Algorithm: The type of public key algorithm and size, in bits, of the key pair that the CA creates when it issues a certificate. Supported key algorithms are RSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384 with the default being RSA 2048.
  • Key Source: Where the CA’s signing key is generated and stored. Infisical (the default) generates and manages the key for you. HSM generates the key inside your own Hardware Security Module through an HSM Connector, and every signing operation the CA performs runs on the HSM. See HSM-backed Internal CAs below.
  • HSM Connector: The HSM Connector Infisical uses to reach your HSM. Shown only when Key Source is HSM. With an HSM key source the algorithm choices stay limited to RSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384.
  • Name: A slug-friendly name for the CA.
  • Organization (O): The organization name.
  • Country (C): The country code.
  • State or Province Name: The state or province.
  • Locality Name: The city or locality.
  • Common Name: The name of the CA.
The Organization, Country, State or Province Name, Locality Name, and Common Name make up the Distinguished Name (DN) or subject of the CA. At least one of these fields must be filled out.
2

Creating an intermediate CA

To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.Next, press the Install CA Certificate option on the intermediate CA. You will be presented with the installation method selector. Choose how the signing certificate should be issued:
Select Infisical CA and press Continue. This option chains the intermediate CA to a root or intermediate CA managed by Infisical.Set the Parent CA to the root CA created in step 1 and configure:
  • Parent CA: The parent CA to chain to (the root CA from step 1).
  • Valid Until: Must be within the validity period of the parent CA.
  • Path Length: Must be less than the parent CA’s path length.
Press Install to chain the intermediate CA to the root CA. This creates a CSR, signs it with the root CA, and imports the certificate.You’ve successfully created a Private CA hierarchy. Now check out the Applications section to learn more about issuing certificates.

HSM-backed Internal CAs

By default, Infisical generates and manages the signing key for an Internal CA. You can instead keep the CA’s signing key inside your own Hardware Security Module. When Key Source is set to HSM, Infisical generates the keypair on the HSM through an HSM Connector and performs every signing operation the CA does on the HSM. That covers the self-signed root certificate, intermediate CSRs, the certificates the CA issues, and its CRLs. Both root and intermediate CAs can be HSM-backed. HSM-backed CAs support the RSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384 key algorithms.
Set up an HSM Connector before creating an HSM-backed CA. Creating one requires the Attach permission on HSM Connectors in addition to permission to create Certificate Authorities.
To create an HSM-backed CA over the API, set keySource to hsm and supply the hsmConnectorId in the request.
Request
curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "type": "root",
      "commonName": "My HSM Root CA",
      "keyAlgorithm": "ECDSA_P384",
      "keySource": "hsm",
      "hsmConnectorId": "<hsm-connector-id>"
  }'

FAQ

Infisical supports RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384 key algorithms specified at the time of creating a CA.
Yes. You can either manually obtain a CSR and import the signed certificate, or use an integrated external CA provider like Venafi TLS Protect Cloud or Microsoft ADCS to automate the signing process.
Yes. Set Key Source to HSM when creating the CA and pick an HSM Connector. The keypair is generated on your HSM and every signing operation the CA performs runs there. Both root and intermediate CAs support this. Supported algorithms are RSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384. See HSM-backed Internal CAs.

What’s Next?

CA Renewal

Renew your CA certificates before they expire.

CRL Distribution Points

Configure CRL mirrors for high availability.

Certificate Profiles

Link your CA to a policy and create reusable profiles.

Applications

Set up Applications to issue certificates.

HSM Connectors

Keep the CA signing key inside your own Hardware Security Module.