Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Automatically request, persist, and renew certificates on a server using the Infisical Agent.

Prerequisites

Steps

1

Install Infisical CLI

# macOS
brew install infisical/get-cli/infisical

# Linux (Debian/Ubuntu)
curl -1sLf 'https://artifacts.infisical.com/setup.deb.sh' | sudo -E bash
sudo apt-get install infisical
2

Create Agent Configuration

Create /etc/infisical/agent-config.yaml:
version: v1

infisical:
  address: "https://app.infisical.com"

auth:
  type: "universal-auth"
  config:
    client-id: "<your-client-id>"
    client-secret: "<your-client-secret>"

certificates:
  - application-name: "my-first-app"
    profile-name: "web-servers"
    attributes:
      common-name: "api.example.com"
      ttl: "90d"
    lifecycle:
      renew-before-expiry: "14d"
    file-output:
      private-key:
        path: "/etc/ssl/private/api.key"
        permission: "0600"
      certificate:
        path: "/etc/ssl/certs/api.crt"
        permission: "0644"
    post-hooks:
      on-renewal:
        command: "systemctl reload nginx"
FieldDescription
application-nameThe Application containing your certificate profile
profile-nameThe certificate profile to use for issuance
3

Start the Agent

infisical cert-manager agent --config /etc/infisical/agent-config.yaml

Result

The agent will:
  • Authenticate with Infisical using your machine identity
  • Request a certificate and save it to the configured paths
  • Automatically renew it before expiration
  • Execute post-hooks (like reloading NGINX) after renewal

Next Steps