Certificate Syncs are designed to automatically deploy certificates issued by your Certificate Authority to external services, ensuring your certificates are always up-to-date across your infrastructure.
Concept
Certificate Syncs are a project-level resource used to sync certificates, via an App Connection, from a particular PKI subscriber (source) to a third-party service (destination). When new certificates are issued or existing certificates are renewed, changes will automatically be propagated to the destination, ensuring your certificates are always current.Workflow
Configuring a Certificate Sync requires three components: a source PKI subscriber to retrieve certificates from, a destination endpoint to deploy certificates to, and configuration options to determine how your certificates should be synced. Follow these steps to start syncing:For step-by-step guides on syncing to a particular third-party service, refer to the Certificate Syncs section in the Navigation Bar.
- Create App Connection: If you have not already done so, create an App Connection via the UI or API for the third-party service you intend to sync certificates to.
-
Create Certificate Sync: Configure a Certificate Sync in the desired project by specifying the following parameters via the UI or API:
- Source: The PKI subscriber you wish to retrieve certificates from.
- Destination: The App Connection to utilize and the destination endpoint to deploy certificates to. These can vary between services.
- Options: Customize how certificates should be synced, including:
- Whether certificates should be removed from the destination when they expire
- Certificate naming schema to control how certificate names are generated in the destination
Only certificates managed by Infisical will be affected during sync operations. Certificates not created or
managed by Infisical will remain untouched, and changes made to Infisical-managed certificates directly
in the destination service may be overwritten by future syncs.
Some third-party services do not support removing expired certificates automatically.
- Utilize Sync: Any new certificates issued or renewals from the source PKI subscriber will now automatically be propagated to the destination endpoint.
Infisical is continuously expanding its Certificate Sync third-party service support. If the service you need isn’t available,
contact us at [email protected] to make a request.
Certificate Naming
Certificate Syncs support flexible certificate naming through configurable naming schemas. This allows you to customize how certificate names appear in your destination services.Default Naming
By default, certificates are named using the patternInfisical-{certificateId} where {certificateId} is the unique identifier of the certificate with hyphens removed for compatibility with services like Azure Key Vault.
Custom Naming Schema
You can customize certificate naming by providing a Certificate Name Schema when creating or updating a Certificate Sync. The schema supports the following placeholders:{{certificateId}}- The unique certificate identifier (required)
myapp-{{certificateId}}→myapp-abc123def456ssl/{{certificateId}}→ssl/abc123def456
- Must include exactly one
{{certificateId}}placeholder - Only alphanumeric characters, dashes (-), underscores (_), and slashes (/) are allowed
- Certificate names matching your schema will be managed by Infisical during sync operations
Certificate Management
Certificate Syncs handle the full lifecycle of certificate management:- Automatic Deployment: New certificates are automatically deployed to configured destinations
- Renewal Propagation: Certificate renewals are seamlessly pushed to all connected services
- Expiration Handling: Expired certificates can be automatically removed from destinations (service-dependent)
- Certificate Validation: Certificates are validated before deployment to ensure integrity