- Set up and configure a Certificate Authority
- Create an AWS Connection
The AWS Certificate Manager Certificate Sync requires the following ACM permissions to be set on the IAM user/role
for Infisical to sync certificates to AWS Certificate Manager:
acm:ListCertificates, acm:DescribeCertificate, acm:ImportCertificate, acm:DeleteCertificate, and acm:ListTagsForCertificate.These permissions allow Infisical to list, import, tag, and manage certificates in your AWS Certificate Manager service.Certificates synced to AWS Certificate Manager will be stored as imported certificates, preserving both the certificate and private key components.
- Infisical UI
- API
-
Navigate to Project > Integrations and select the Certificate Syncs tab. Click on the Add Sync button.
-
Select the AWS Certificate Manager option.
-
Configure the Source from where certificates should be retrieved, then click Next.
- PKI Subscriber: The PKI subscriber to retrieve certificates from.
-
Configure the Destination to where certificates should be deployed, then click Next.
- AWS Connection: The AWS Connection to authenticate with.
- AWS Region: The AWS region where certificates should be stored.
-
Configure the Sync Options to specify how certificates should be synced, then click Next.
- Auto-Sync Enabled: If enabled, certificates will automatically be synced from the source PKI subscriber when changes occur. Disable to enforce manual syncing only.
- Enable Certificate Removal: If enabled, Infisical will remove expired certificates from the destination during sync operations. Disable this option if you intend to manage certificate cleanup manually.
- Certificate Name Schema (Optional): Customize how certificate tags are generated in AWS Certificate Manager. Must include
{{certificateId}}as a placeholder for the certificate ID to ensure proper certificate identification and management. If not specified, defaults toInfisical-{{certificateId}}.
AWS Certificate Manager Certificate Limits: AWS Certificate Manager has limits on the number of certificates per account and region. Refer to AWS documentation for current limits. Deleted certificates count toward your quota until they are permanently purged by AWS (typically after 30 days).
-
Configure the Details of your AWS Certificate Manager Certificate Sync, then click Next.
- Name: The name of your sync. Must be slug-friendly.
- Description: An optional description for your sync.
-
Review your AWS Certificate Manager Certificate Sync configuration, then click Create Sync.
-
If enabled, your AWS Certificate Manager Certificate Sync will begin syncing your certificates to the destination endpoint.
Certificate Management
Your AWS Certificate Manager Certificate Sync will:- Automatic Deployment: Deploy new certificates issued by your PKI subscriber to AWS Certificate Manager
- Certificate Updates: Update certificates in AWS Certificate Manager when renewals occur
- Expiration Handling: Optionally remove expired certificates from AWS Certificate Manager (if enabled)
- Tagging: Automatically tag certificates with an InfisicalCertificate tag for easy identification and management
AWS Certificate Manager Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed.
Manual Certificate Sync
You can manually trigger certificate synchronization from your PKI subscriber to AWS Certificate Manager using the sync certificates functionality. This is useful for:- Initial setup when you have existing certificates to deploy
- One-time sync of specific certificates
- Testing certificate sync configurations
- Force sync after making changes
AWS Certificate Manager does not support importing certificates back into Infisical due to security limitations where private keys cannot be extracted from AWS Certificate Manager. Only certificates imported into ACM (not AWS-issued certificates) can be managed by the sync.