Skip to main content
The Infisical Agent is an installable client daemon that can request TLS and other X.509 certificates from Infisical using the API enrollment method configured on a certificate profile, persist it to a specified path on the filesystem, and automatically monitor and renew it before expiration. Instead of manually requesting and renewing a certificate via the Issue Certificate API endpoint, you can install and launch the Infisical Agent to have it perform these steps for you automatically.

Diagram

The following sequence diagram illustrates the certificate enrollment workflow for requesting a certificate using the Infisical Agent from Infisical.

Guide

In the following steps, we explore an end-to-end workflow for requesting and continuously renewing a certificate using the Infisical Agent.
1

Configure a Certificate Authority

Before you can issue any certificate, you must first configure a Certificate Authority (CA).The CA you configure will be used to issue the certificate back to your client; it can be either Internal or External:
  • Internal CA: If you’re building your own PKI and wish to issue certificates for internal use, you should follow the guide here to create at minimum a root CA and an intermediate/issuing CA within Infisical.
  • External CA: If you have existing PKI infrastructure or wish to connect to a public CA (e.g. Let’s Encrypt, DigiCert, etc.) to issue TLS certificates, you should follow the documentation here to configure an External CA.
Note that if you’re looking to issue self-signed certificates, you can skip this step and proceed to Step 3.
2

Create a certificate template

Next, follow the guide here to create a certificate template.The certificate template will constrain what attributes may or may not be allowed in the request to issue a certificate. For example, you can specify that the requested common name must adhere to a specific format like *.acme.com and that the maximum TTL cannot exceed 1 year.If you’re looking to issue TLS server certificates, you should select the TLS Server Certificate option under the Template Preset dropdown.
3

Create a certificate profile

Next, follow the guide here to create a certificate profile that will be referenced when requesting a certificate.The certificate profile specifies which certificate template and issuing CA should be used to validate an incoming certificate request and issue a certificate; it also specifies the enrollment method for how certificates can be requested against this profile to begin with.You should specify the certificate template from Step 2, the issuing CA from Step 1, and the API option in the Enrollment Method dropdown when creating the certificate profile.
Note that if you’re looking to issue self-signed certificates, you should select the Self-Signed option in the Issuer Type dropdown when creating the certificate profile.
4

Request a certificate

Next, install the Infisical CLI on the target machine you wish to request the certificate on and follow the documentation here to set up the Infisical Agent on it.As part of the setup, you must create an agent configuration file that specifies how the agent should authenticate with Infisical using a machine identity, the certificate profile it should request against (from Step 3), what kind of certificate to request, where to persist the certificate, and how it should be managed in terms of auto-renewal.Finally, start the agent with that configuration file so it can start requesting and continuously renewing the certificate on your behalf using the command below:
infisical cert-manager agent --config /path/to/your/agent-config.yaml
The certificate, certificate chain, and private key will be persisted to the filesystem at the paths specified in the file-output section of the agent configuration file.