Concept

In addition to creating a Private CA hierarchy, Infisical allows you to integrate with External Certificate Authorities (CAs) to issue digital certificates for your subscribers. This integration enables you to leverage established certificate authority infrastructure while centralizing your certificate management within Infisical.

When you integrate an External CA with Infisical, you benefit from:

  1. Trust by Default: Certificates issued by public CAs are trusted by default in browsers and operating systems.
  2. Unified Management: Manage all certificates—both internally and externally issued—from a single platform.
  3. Automation: Leverage Infisical’s automation capabilities for certificate lifecycle management.
  4. Compliance: Meet requirements for publicly trusted certificates, especially for public-facing services.
  5. Flexibility: Choose the most appropriate CA for different use cases while maintaining consistent management.

General Workflow

A typical workflow for integrating an External CA with Infisical consists of the following steps:

  1. Select External CA Type: Choose the appropriate external CA based on your requirements and supported protocols.
  2. Configure Prerequisites: Set up any required credentials, connections, or configurations specific to your chosen CA type.
  3. Register External CA: Add the External CA configuration to your Infisical project.
  4. Create Subscribers: Set up subscribers that use the External CA as their issuing authority.
  5. Manage Certificate Lifecycle: Handle certificate issuance, renewal, and revocation through Infisical’s unified interface.

The specific steps and requirements vary depending on the External CA type you choose to integrate.

Supported Integration Methods

Infisical currently supports integration with External Certificate Authorities through the following protocol:

ACME Protocol Integration

ACME (Automatic Certificate Management Environment) is a widely adopted protocol for automated certificate issuance and management. Infisical can integrate with any CA that supports the ACME protocol, including:

Public Certificate Authorities:

  • Let’s Encrypt - Free, automated SSL/TLS certificates
  • ZeroSSL - Free and premium SSL certificates
  • Buypass - Norwegian CA with free ACME certificates

Enterprise Certificate Authorities:

  • HashiCorp Vault PKI - Enterprise secret management with ACME support
  • Step CA - Open-source certificate authority with ACME

Cloud Certificate Authorities:

  • Some managed certificate services that support ACME protocol

Learn more about ACME integration →

Use Cases

External CA integration is ideal for various scenarios:

Public-Facing Services

Use publicly trusted CAs for websites and services that need browser compatibility:

  • Web applications and APIs
  • Load balancers and CDNs
  • Public-facing microservices

Compliance Requirements

Meet specific compliance standards that require certificates from accredited CAs:

  • PCI DSS compliance
  • SOC 2 requirements
  • Industry-specific regulations

Hybrid Infrastructure

Combine internal and external CAs for different use cases:

  • Internal services with Private CAs
  • Public services with External CAs
  • Development vs. production environments

Legacy System Integration

Integrate with existing enterprise PKI infrastructure:

  • Windows Active Directory Certificate Services
  • Network device management
  • IoT device provisioning

Benefits of Centralized Management

Managing External CAs through Infisical provides several advantages over direct CA management:

Unified Certificate Inventory

  • Single dashboard for all certificates
  • Centralized expiration tracking
  • Cross-CA certificate analytics

Automated Lifecycle Management

  • Automatic certificate reissuance before expiration
  • Proactive expiration alerts
  • Standardized certificate management processes

Enhanced Security

  • Centralized access controls
  • Audit trails for all certificate operations
  • Policy enforcement across CAs

Operational Efficiency

  • Reduced manual certificate management
  • Consistent deployment workflows
  • API-driven automation
  • Integration with existing tools

Available Integration Guides

Get started with External CA integration:

ACME Protocol Integration

Set up automated certificate issuance with any ACME-compatible CA

API Integrations

Custom CA integrations via REST APIs (Coming Soon)

FAQ