Skip to main content
PKI architecture is a complex topic and there are many ways to orchestrate certificate management including renewal operations. For specific guidance and access to enterprise features, we recommend reaching out to [email protected] to schedule a demo.

Concept

A certificate is the (X.509) leaf certificate issued for a certificate profile. Once issued, a certificate is kept track of in the certificate inventory where you can manage various aspects of its lifecycle including deployment to cloud key stores, server-side auto-renewal behavior, revocation, and more.

Guide to Issuing Certificates

To issue a certificate, you must first create a certificate profile and a certificate template to go along with it. The enrollment method configured on the certificate profile determines how a certificate is issued for it. Refer to the documentation for each enrollment method to learn more about how to issue certificates using it.

Guide to Renewing Certificates

To renew a certificate, you can either request a new certificate from a certificate profile or have the platform automatically request a new one for you. Whether you pursue a client-driven or server-driven approach is totally dependent on the enrollment method configured on your certificate profile as well as your infrastructure use-case.

Client-Driven Certificate Renewal

Client-driven certificate renewal is when renewal is initiated client-side by the end-entity consuming the certificate. This is the most common approach to certificate renewal and is suitable for most use-cases.

Server-Driven Certificate Renewal

Server-driven certificate renewal is when renewal is initiated server-side by Infisical rather than by the end-entity consuming the certificate. When a certificate considered for auto-renewal meets a specified renewal days before expiration threshold, Infisical reaches out to the issuing CA bound to the certificate profile of the expiring certificate to request for a new one. The resulting renewed certificate is stored in the platform and made available to be fetched back or pushed downstream to end-entities or external systems such as cloud key stores. Note that server-driven certificate renewal is only available for certificates issued via the API enrollment method where key pairs are generated server-side. A certificate can be considered for auto-renewal at time of issuance if the Enable Auto-Renewal By Default option is selected on its certificate profile or after issuance by toggling this option manually.
For server-driven certificate renewal workflows, you can programmatically fetch the latest active certificate bundle for a certificate profile using the Get Latest Active Certificate Bundle API endpoint. This ensures you always retrieve the most current valid certificate, including any that have been automatically renewed, making it particularly useful for deployment pipelines and automation workflows where you don’t want to track individual serial numbers.
The following examples demonstrate different approaches to certificate renewal:
  • Using the ACME enrollment method, you may connect an ACME client like certbot to fetch back and renew certificates for Apache, Nginx, or other server. The ACME client will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to the server’s configuration.
  • Using the ACME enrollment method, you may use cert-manager with Infisical to issue and renew certificates for Kubernetes workloads; cert-manager will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to Kubernetes secrets.
  • Using the API enrollment method, you may push and auto-renew certificates to AWS and Azure using certificate syncs. Certificates issued over the API enrollment method, where key pairs are generated server-side, are also eligible for server-side auto-renewal; once renewed, certificates are automatically pushed back to their sync destination.

Guide to Downloading Certificates

In the following steps, we explore different options for exporting already-issued certificates from Infisical in different formats for use in your applications and infrastructure.

Download Latest Profile Certificate

You can download the latest certificate issued against a certificate profile using the latest certificate bundle endpoint.

Download Specific Certificate

To export a specific certificate, first navigate to your project’s certificate inventory and locate the certificate you want to export. Click on the Export Certificate option from the certificate’s action menu. pki export certificate option
  • PEM Format
  • PKCS12 Format
1

Exporting in PEM Format

In the export modal, choose PEM as the format and click Export.pki export certificate pemThe PEM export modal will display the certificate details including:
  • Serial Number: The unique identifier for the certificate
  • Certificate Body: The X.509 certificate in PEM format
  • Certificate Chain: The intermediate and root CA certificates
  • Private Key: The private key associated with the certificate (if available) pki export certificate pem modal
You can copy each component individually or use the Copy All button to copy the complete certificate bundle.
2

Using PEM Certificates

PEM format certificates can be used directly with most web servers and applications:
  • Apache HTTP Server: Configure SSL certificates in your virtual host
  • Nginx: Use the certificate and private key files in your server configuration
  • Docker containers: Mount certificate files for TLS-enabled applications
  • Load balancers: Upload PEM certificates to AWS ALB, Azure Application Gateway, etc.
Example Nginx configuration:
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/certificate.pem;
    ssl_certificate_key /path/to/private-key.pem;
}

Guide to Revoking Certificates

In the following steps, we explore how to revoke a X.509 certificate and obtain a Certificate Revocation List (CRL) for a CA.
  • Infisical UI
  • API
1

Revoking a Certificate

Assuming that you’ve issued a certificate under a CA, you can revoke it by selecting the Revoke Certificate option for it and specifying the reason for revocation.pki revoke certificatepki revoke certificate modal
2

Obtaining a CRL

In order to check the revocation status of a certificate, you can check it against the CRL of a CA by heading to its Issuing CA and downloading the CRL.pki view crlTo verify a certificate against the downloaded CRL with OpenSSL, you can use the following command:
openssl verify -crl_check -CAfile chain.pem -CRLfile crl.pem cert.pem
Note that you can also obtain the CRL from the certificate itself by referencing the CRL distribution point extension on the certificate.To check a certificate against the CRL distribution point specified within it with OpenSSL, you can use the following command:
openssl verify -verbose -crl_check -crl_download -CAfile chain.pem cert.pem