Certificate Manager uses a layered access model that separates infrastructure management from day-to-day operations.Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Product Level
| Role | What they can do |
|---|---|
| Product Admin | Full control: create and manage CAs, Policies, Profiles, Applications, and Signers. Assign members to Applications and Signers. |
| Product Member | Operate within the Applications and Signers they’re assigned to. |
- Certificate Authorities (internal and external)
- Certificate Policies
- Certificate Profiles
- Creating Applications and assigning members
- Creating Signers and assigning members
Application Access
Applications are where teams issue and manage certificates. Members are assigned with one of three roles:| Role | What they can do |
|---|---|
| Admin | Configure enrollment methods, alerting, syncs, and approval policies. Manage Application members. |
| Operator | Issue, renew, and revoke certificates within the Application. |
| Auditor | View certificates and Application configuration (read-only). |
Signer Access
Signers are where teams sign code artifacts. Similar to Applications, members are assigned directly to Signers with specific permissions. Product Admins create Signers and assign members. Assigned members can then use the Signer to sign artifacts through the PKCS#11 module or request signing through approval workflows. Signing Policies can add additional controls, requiring approval before signing operations are allowed.Principle of Least Privilege
This model follows the principle of least privilege:- Product admins set up infrastructure once
- Teams operate within their assigned Applications and Signers
- No one has more access than they need