Add preliminary docs for private ca and certificates

docs/documentation/platform/pki/certificates.mdx

@@ -0,0 +1,68 @@
+---
+title: "Certificates"
+sidebarTitle: "Certificates"
+description: "Learn how to issue X.509 certificates with Infisical."
+---
+
+## Concept
+
+Assuming that you've created a Private CA hierarchy with a root CA and an intermediate CA, you can now issue X.509 certificates using the intermediate CA.
+
+<div align="center">
+
+```mermaid
+graph TD
+    A[Root CA]
+    A --> B[Intermediate CA]
+    A --> C[Intermediate CA]
+    B --> D[Leaf Certificate]
+    C --> E[Leaf Certificate]
+```
+
+</div>
+
+## Workflow
+
+The typical workflow for issuing certificates consists of the following steps:
+
+1. Issuing a certificate under an intermediate CA with details like name and validity period.
+2. Managing certificate lifecycle events such as certificate renewal, revocation, and reissuance.
+
+<Note>
+  Note that this workflow can be executed via the Infisical UI or manually such
+  as via API.
+</Note>
+
+## Guide
+
+In the following steps, we explore how to issue a X.509 certificate under a CA using the Infisical UI.
+
+<Steps>
+  <Step title="Creating a certificate">
+    To create a certificate, head to your Project > Internal PKI > Certificates and press **Create Certificate**.
+
+    ![pki issue certificate](/images/platform/pki/cert-issue.png)
+
+    Here, set the **CA** to the CA you want to issue the certificate under and fill out details for the certificate.
+
+    ![pki issue certificate modal](/images/platform/pki/cert-issue-modal.png)
+
+    Here's some guidance on each field:
+
+    - Issuing CA: The CA under which to issue the certificate.
+    - Common Name (CN): The (common) name of the certificate.
+    - TTL: The lifetime of the certificate in seconds.
+    - Valid Until: The date until which the certificate is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). For example, the following formats would be valid: `YYYY`, `YYYY-MM`, `YYYY-MM-DD`, `YYYY-MM-DDTHH:mm:ss.sssZ`.
+
+  </Step>
+  <Step title="Copying the certificate details">
+    Once you have created the certificate from step 1, you'll be presented with the certificate details including the **Certificate Body**, **Certificate Chain**, and **Private Key**.
+    
+    ![pki certificate body](/images/platform/pki/cert-body.png)
+    
+    <Note>
+        Make sure to download and store the **Private Key** in a secure location as it will only be displayed once at the time of certificate issuance.
+        The **Certificate Body** and **Certificate Chain** will remain accessible and can be copied at any time.
+    </Note>
+  </Step>
+</Steps>

docs/documentation/platform/pki/overview.mdx

@@ -0,0 +1,12 @@
+---
+title: "Internal PKI"
+sidebarTitle: "Overview"
+description: "Learn how to create a Private CA hierarchy and issue X.509 certificates."
+---
+
+Infisical can be used to create a Private Certificate Authority (CA) hierarchy and issue X.509 certificates for internal use. This allows you to manage your own PKI infrastructure and issue digital certificates for services, applications, and devices.
+
+Infisical's internal PKI offering is split into two modules:
+
+- [Private CA](/documentation/platform/pki/private-ca): Infisical lets you create private CAs, including root and intermediary CAs.
+- [Certificates](/documentation/platform/pki/certificates): Infisical allows you to issue X.509 certificates using the private CAs you create.

docs/documentation/platform/pki/private-ca.mdx

@@ -0,0 +1,106 @@
+---
+title: "Private CA"
+sidebarTitle: "Private CA"
+description: "Learn how to create a Private CA hierarchy with Infisical."
+---
+
+## Concept
+
+The first step to creating your Internal PKI is to create a Private Certificate Authority (CA) hierarchy that is a structure of entities
+used to issue digital certificates for services, applications, and devices.
+
+<div align="center">
+
+```mermaid
+graph TD
+    A[Root CA]
+    A --> B[Intermediate CA]
+    A --> C[Intermediate CA]
+```
+
+</div>
+
+## Workflow
+
+A typical workflow for setting up a Private CA hierarchy consists of the following steps:
+
+1. Configuring a root CA with details like name, validity period, and path length.
+2. Configuring and chaining intermediate CA(s) with details like name, validity period, path length, and imported certificate.
+3. Managing the CA lifecycle events such as CA succession.
+
+<Note>
+  Note that this workflow can be executed via the Infisical UI or manually such
+  as via API. If manually executing the workflow, you may have to create a
+  Certificate Signing Request (CSR) for the intermediate CA, create an
+  intermediate certificate using the root CA private key and CSR, and import the
+  intermediate certificate back to the intermediate CA as part of Step 2.
+</Note>
+
+## Guide
+
+In the following steps, we explore how to create a simple Private CA hierarchy
+consisting of a root CA and an intermediate CA using the Infisical UI.
+
+<Steps>
+    <Step title="Creating a root CA">
+        To create a root CA, head to your Project > Internal PKI > Certificate Authorities and press **Create CA**.
+
+        ![pki create ca](/images/platform/pki/ca-create.png)
+
+        Here, set the **CA Type** to **Root** and fill out details for the root CA.
+
+        ![pki create root ca](/images/platform/pki/ca-create-root.png)
+
+        Here's some guidance on each field:
+
+        - Valid Until: The date until which the CA is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). For example, the following formats would be valid: `YYYY`, `YYYY-MM`, `YYYY-MM-DD`, `YYYY-MM-DDTHH:mm:ss.sssZ`.
+        - Path Length: The maximum number of intermediate CAs that can be chained to this CA. A path of `-1` implies no limit; a path of `0` implies no intermediate CAs can be chained.
+        - Organization (O): The organization name.
+        - Country (C): The country code.
+        - State or Province Name: The state or province.
+        - Locality Name: The city or locality.
+        - Common Name: The name of the CA.
+
+        <Note>
+            The Organization, Country, State or Province Name, Locality Name, and Common Name make up the **Distinguished Name (DN)** or **subject** of the CA.
+            At least one of these fields must be filled out.
+        </Note>
+    </Step>
+    <Step title="Creating an intermediate CA">
+        1.1. To create an intermediate CA, press **Create CA** again but this time specifying the **CA Type** to be **Intermediate**. Fill out the details for the intermediate CA.
+
+        ![pki create intermediate ca](/images/platform/pki/ca-create-intermediate.png)
+
+        1.2. Next, press the **Install Certificate** option on the intermediate CA from step 1.1.
+
+        ![pki install cert opt](/images/platform/pki/ca-install-intermediate-opt.png)
+
+        Here, set the **Parent CA** to the root CA created in step 1 and configure the intended **Valid Until** and **Path Length** fields on the intermediate CA; feel free to use the prefilled values.
+
+        ![pki install cert](/images/platform/pki/ca-install-intermediate.png)
+
+        Here's some guidance on each field:
+
+        - Parent CA: The parent CA to which this intermediate CA will be chained. In this case, it should be the root CA created in step 1.
+        - Valid Until: The date until which the CA is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). The date must be within the validity period of the parent CA.
+        - Path Length: The maximum number of intermediate CAs that can be chained to this CA. The path length must be less than the path length of the parent CA.
+
+        Finally, press **Install** to chain the intermediate CA to the root CA; this creates a Certificate Signing Request (CSR) for the intermediate CA, creates an intermediate certificate using the root CA private key and CSR, and imports the signed certificate back to the intermediate CA.
+
+        ![pki cas](/images/platform/pki/cas.png)
+
+        Great! You've successfully created a Private CA hierarchy with a root CA and an intermediate CA.
+        Now check out the [Certificates](/documentation/platform/pki/certificates) page to learn more about how to issue X.509 certificates using the intermediate CA.
+
+</Step>
+</Steps>
+
+## FAQ
+
+<AccordionGroup>
+  <Accordion title="What algorithms are supported as part of private key generation and certificate signing?">
+    Infisical currently only supports `RSA_2048` and `SHA256WITHRSA` for the
+    private key and signing algorithm. We are working to add support for more
+    algorithms in the future.
+  </Accordion>
+</AccordionGroup>

docs/mint.json

@@ -32,10 +32,7 @@
     "thumbsRating": true
   },
   "api": {
-    "baseUrl": [
-      "https://app.infisical.com",
-      "http://localhost:8080"
-    ]
+    "baseUrl": ["https://app.infisical.com", "http://localhost:8080"]
   },
   "topbarLinks": [
     {
@@ -76,9 +73,7 @@
         "documentation/getting-started/introduction",
         {
           "group": "Quickstart",
-          "pages": [
-            "documentation/guides/local-development"
-          ]
+          "pages": ["documentation/guides/local-development"]
         },
         {
           "group": "Guides",
@@ -107,6 +102,14 @@
             "documentation/platform/webhooks"
           ]
         },
+        {
+          "group": "Internal PKI",
+          "pages": [
+            "documentation/platform/pki/overview ",
+            "documentation/platform/pki/private-ca",
+            "documentation/platform/pki/certificates"
+          ]
+        },
         {
           "group": "Identities",
           "pages": [
@@ -221,9 +224,7 @@
         },
         {
           "group": "Reference architectures",
-          "pages": [
-            "self-hosting/reference-architectures/aws-ecs"
-          ]
+          "pages": ["self-hosting/reference-architectures/aws-ecs"]
         },
         "self-hosting/ee",
         "self-hosting/faq"
@@ -379,15 +380,11 @@
     },
     {
       "group": "Build Tool Integrations",
-      "pages": [
-        "integrations/build-tools/gradle"
-      ]
+      "pages": ["integrations/build-tools/gradle"]
     },
     {
       "group": "",
-      "pages": [
-        "sdks/overview"
-      ]
+      "pages": ["sdks/overview"]
     },
     {
       "group": "SDK's",
@@ -405,9 +402,7 @@
         "api-reference/overview/authentication",
         {
           "group": "Examples",
-          "pages": [
-            "api-reference/overview/examples/integration"
-          ]
+          "pages": ["api-reference/overview/examples/integration"]
         }
       ]
     },
@@ -563,15 +558,11 @@
         },
         {
           "group": "Service Tokens",
-          "pages": [
-            "api-reference/endpoints/service-tokens/get"
-          ]
+          "pages": ["api-reference/endpoints/service-tokens/get"]
         },
         {
           "group": "Audit Logs",
-          "pages": [
-            "api-reference/endpoints/audit-logs/export-audit-log"
-          ]
+          "pages": ["api-reference/endpoints/audit-logs/export-audit-log"]
         }
       ]
     },
@@ -587,9 +578,7 @@
     },
     {
       "group": "",
-      "pages": [
-        "changelog/overview"
-      ]
+      "pages": ["changelog/overview"]
     },
     {
       "group": "Contributing",
@@ -613,9 +602,7 @@
         },
         {
           "group": "Contributing to SDK",
-          "pages": [
-            "contributing/sdk/developing"
-          ]
+          "pages": ["contributing/sdk/developing"]
         }
       ]
     }

frontend/src/layouts/AppLayout/AppLayout.tsx

@@ -527,7 +527,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
                             }
                             icon="system-outline-90-lock-closed"
                           >
-                            Certificates
+                            Internal PKI
                           </MenuItem>
                         </a>
                       </Link>
@@ -645,9 +645,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
                       <Link href={`/org/${currentOrg?.id}/secret-sharing`} passHref>
                         <a>
                           <MenuItem
-                            isSelected={
-                              router.asPath === `/org/${currentOrg?.id}/secret-sharing`
-                            }
+                            isSelected={router.asPath === `/org/${currentOrg?.id}/secret-sharing`}
                             icon="system-outline-90-lock-closed"
                           >
                             Secret Sharing

frontend/src/views/Project/CertificatesPage/components/CertificatesTab/components/CertificateModal.tsx

@@ -186,7 +186,7 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
                   errorText={error?.message}
                   isRequired
                 >
-                  <Input {...field} placeholder="Acme Corp" isDisabled={Boolean(cert)} />
+                  <Input {...field} placeholder="service.acme.com" isDisabled={Boolean(cert)} />
                 </FormControl>
               )}
             />