Skip to main content
The API enrollment method lets you programmatically request TLS and other X.509 certificates from Infisical. This is the most flexible way to request certificates from Infisical but requires you to implement certificate request and renewal logic on your own. For a more automated way to request certificates, we highly recommend you check out the guide for requesting certificates using the Infisical Agent here.

Diagram

The following sequence diagram illustrates the certificate issuance workflow for requesting a certificate via API from Infisical.

Guide

In the following steps, we explore an end-to-end workflow for requesting a certificate via API from Infisical.
1

Configure a Certificate Authority

Before you can issue any certificate, you must first configure a Certificate Authority (CA).The CA you configure will be used to issue the certificate back to your client; it can be either Internal or External:
  • Internal CA: If you’re building your own PKI and wish to issue certificates for internal use, you should follow the guide here to create at minimum a root CA and an intermediate/issuing CA within Infisical.
  • External CA: If you have existing PKI infrastructure or wish to connect to a public CA (e.g. Let’s Encrypt, DigiCert, etc.) to issue TLS certificates, you should follow the documentation here to configure an External CA.
Note that if you’re looking to issue self-signed certificates, you can skip this step and proceed to Step 3.
2

Create a certificate template

Next, follow the guide here to create a certificate template.The certificate template will constrain what attributes may or may not be allowed in the request to issue a certificate. For example, you can specify that the requested common name must adhere to a specific format like *.acme.com and that the maximum TTL cannot exceed 1 year.If you’re looking to issue TLS server certificates, you should select the TLS Server Certificate option under the Template Preset dropdown.
3

Create a certificate profile

Next, follow the guide here to create a certificate profile that will be referenced when requesting a certificate.The certificate profile specifies which certificate template and issuing CA should be used to validate an incoming certificate request and issue a certificate; it also specifies the enrollment method for how certificates can be requested against this profile to begin with.You should specify the certificate template from Step 2, the issuing CA from Step 1, and the API option in the Enrollment Method dropdown when creating the certificate profile.
Note that if you’re looking to issue self-signed certificates, you should select the Self-Signed option in the Issuer Type dropdown when creating the certificate profile.
4

Request a certificate

Finally, follow the guide here to request a certificate against the certificate profile over the Web UI or by making an API request the Issue Certificate API endpoint with or without a certificate signing request (CSR).To renew a certificate on the client-side, you have two options:
  • Make a request to issue a new certificate against the same Issue Certificate API endpoint.
  • Make a request to the Renew Certificate API endpoint with the ID of the certificate you wish to renew. Note that this endpoint only works if the original certificate was issued through the Issue Certificate API endpoint without a CSR.
We recommend reading the guide here to learn more about all the ways to renew a certificate with Infisical including server-driven certificate renewal.
Note that depending on your environment and infrastructure use-case, you may wish to use a different enrollment method to request certificates. For more automated certificate management, you may wish to request certificates using a client that can monitor expiring certificates and request renewals for you. For example, you can install the Infisical Agent on a VM and have it request and renew certificates for you or use an ACME client paired with Infisical’s ACME enrollment method.