- Create an AWS Connection
The AWS Certificate Manager Certificate Sync requires the following ACM permissions to be set on the IAM user/role
for Infisical to sync certificates to AWS Certificate Manager:
acm:ListCertificates, acm:DescribeCertificate, acm:ImportCertificate, acm:DeleteCertificate, and acm:ListTagsForCertificate.These permissions allow Infisical to list, import, tag, and manage certificates in your AWS Certificate Manager service.Certificates synced to AWS Certificate Manager will be stored as imported
certificates, preserving both the certificate and private key components.
- Infisical UI
- API
-
Navigate to Project > Integrations > Certificate Syncs and press Add Sync.
-
Select the AWS Certificate Manager option.
-
Configure the Destination to where certificates should be deployed, then click Next.
- AWS Connection: The AWS Connection to authenticate with.
- AWS Region: The AWS region where certificates should be stored.
- Configure the Sync Options to specify how certificates should be synced, then click Next.
- Enable Removal of Expired/Revoked Certificates: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
- Preserve ARN on Renewal: If enabled, Infisical will sync renewed certificates to the destination under the same ARN as the original synced certificate instead of creating a new certificate with a new ARN.
- Include Root CA: If enabled, the Root CA certificate will be included in the certificate chain when syncing to AWS Certificate Manager. If disabled, only intermediate certificates will be included.
- Certificate Name Schema (Optional): Customize how certificate tags are generated in AWS Certificate Manager. Must include
{{certificateId}}as a placeholder for the certificate ID to ensure proper certificate identification and management. If not specified, defaults toInfisical-{{certificateId}}. - Auto-Sync Enabled: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
-
Configure the Details of your AWS Certificate Manager Certificate Sync, then click Next.
- Name: The name of your sync. Must be slug-friendly.
- Description: An optional description for your sync.
-
Select which certificates should be synced to AWS Certificate Manager.
-
Review your AWS Certificate Manager Certificate Sync configuration, then click Create Sync.
-
If enabled, your AWS Certificate Manager Certificate Sync will begin syncing your certificates to the destination endpoint.
Certificate Management
Your AWS Certificate Manager Certificate Sync will:- Automatic Deployment: Deploy certificates in Infisical to AWS Certificate Manager.
- Certificate Updates: Update certificates in AWS Certificate Manager when renewals occur.
- Expiration Handling: Optionally remove expired certificates from AWS Certificate Manager (if enabled).
- Tagging: Automatically tag certificates with an InfisicalCertificate tag for easy identification and management
AWS Certificate Manager Certificate Syncs support both automatic and manual
synchronization modes. When auto-sync is enabled, certificates are
automatically deployed as they are issued or renewed.
Manual Certificate Sync
You can manually trigger certificate synchronization to AWS Certificate Manager using the sync certificates functionality. This is useful for:- Initial setup when you have existing certificates to deploy
- One-time sync of specific certificates
- Testing certificate sync configurations
- Force sync after making changes
AWS Certificate Manager does not support importing certificates back into
Infisical due to security limitations where private keys cannot be extracted
from AWS Certificate Manager. Only certificates imported into ACM (not
AWS-issued certificates) can be managed by the sync.