Skip to main content
Certificate Syncs enable you to push certificates from Infisical to third-party services using App Connections.
Certificate Syncs are designed to automatically deploy certificates issued by your Certificate Authority to external services, ensuring your certificates are always up-to-date across your infrastructure.

Concept

Certificate Syncs are a project-level resource used to push certificates, via an App Connection, from Infisical to a third-party service (destination). When paired with server-side auto-renewal, renewed certificates are automatically synced to the destination, ensuring your certificates stay current.

Workflow

Configuring a Certificate Sync requires three components: The certificates that you’d like to push, a destination endpoint to deploy certificates to, and configuration options to determine how your certificates should be synced. Follow these steps to start syncing:
For step-by-step guides on syncing to a particular third-party service, refer to the Certificate Syncs section in the Navigation Bar.
  1. Create App Connection: If you have not already done so, create an App Connection via the UI or API for the third-party service you intend to sync certificates to.
  2. Create Certificate Sync: Configure a Certificate Sync in the desired project by specifying the following parameters via the UI or API:
    • Destination: The App Connection to utilize and the destination endpoint to deploy certificates to such as AWS Certificate Manager or Azure Key Vault.
    • Certificates: The certificates you wish to push to the destination.
    • Options: Customize how certificates should be synced, including:
      • Whether certificates should be removed from the destination when they expire.
      • Whether to include the Root CA certificate in the certificate chain.
      • Certificate naming schema to control how certificate names are generated in the destination.
Only certificates managed by Infisical will be affected during sync operations. Certificates not created or managed by Infisical will remain untouched, and changes made to Infisical-managed certificates directly in the destination service may be overwritten by future syncs.
Some third-party services do not support removing expired certificates automatically.
  1. Utilize Sync: Selected certificates will now be pushed to the destination endpoint and automatically redeployed whenever they are renewed.
Infisical is continuously expanding its Certificate Sync third-party service support. If the service you need isn’t available, contact us at [email protected] to make a request.

Certificate Naming

Certificate Syncs support flexible certificate naming through configurable naming schemas. This allows you to customize how certificate names appear in your destination services.

Default Naming

By default, certificates are named using the pattern Infisical-{certificateId} where {certificateId} is the unique identifier of the certificate with hyphens removed for compatibility with services like Azure Key Vault.

Custom Naming Schema

You can customize certificate naming by providing a Certificate Name Schema when creating or updating a Certificate Sync. The schema supports the following placeholders:
  • {{certificateId}} - The unique certificate identifier (required)
Examples:
  • myapp-{{certificateId}}myapp-abc123def456
  • ssl/{{certificateId}}ssl/abc123def456
Rules:
  • Must include exactly one {{certificateId}} placeholder
  • Only alphanumeric characters, dashes (-), underscores (_), and slashes (/) are allowed
  • Certificate names matching your schema will be managed by Infisical during sync operations