diff --git a/docs/documentation/platform/pki/certificates.mdx b/docs/documentation/platform/pki/certificates.mdx
new file mode 100644
index 0000000000..560799936b
--- /dev/null
+++ b/docs/documentation/platform/pki/certificates.mdx
@@ -0,0 +1,68 @@
+---
+title: "Certificates"
+sidebarTitle: "Certificates"
+description: "Learn how to issue X.509 certificates with Infisical."
+---
+
+## Concept
+
+Assuming that you've created a Private CA hierarchy with a root CA and an intermediate CA, you can now issue X.509 certificates using the intermediate CA.
+
+
+
+```mermaid
+graph TD
+ A[Root CA]
+ A --> B[Intermediate CA]
+ A --> C[Intermediate CA]
+ B --> D[Leaf Certificate]
+ C --> E[Leaf Certificate]
+```
+
+
+
+## Workflow
+
+The typical workflow for issuing certificates consists of the following steps:
+
+1. Issuing a certificate under an intermediate CA with details like name and validity period.
+2. Managing certificate lifecycle events such as certificate renewal, revocation, and reissuance.
+
+
+ Note that this workflow can be executed via the Infisical UI or manually such
+ as via API.
+
+
+## Guide
+
+In the following steps, we explore how to issue a X.509 certificate under a CA using the Infisical UI.
+
+
+
+ To create a certificate, head to your Project > Internal PKI > Certificates and press **Create Certificate**.
+
+ 
+
+ Here, set the **CA** to the CA you want to issue the certificate under and fill out details for the certificate.
+
+ 
+
+ Here's some guidance on each field:
+
+ - Issuing CA: The CA under which to issue the certificate.
+ - Common Name (CN): The (common) name of the certificate.
+ - TTL: The lifetime of the certificate in seconds.
+ - Valid Until: The date until which the certificate is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). For example, the following formats would be valid: `YYYY`, `YYYY-MM`, `YYYY-MM-DD`, `YYYY-MM-DDTHH:mm:ss.sssZ`.
+
+
+
+ Once you have created the certificate from step 1, you'll be presented with the certificate details including the **Certificate Body**, **Certificate Chain**, and **Private Key**.
+
+ 
+
+
+ Make sure to download and store the **Private Key** in a secure location as it will only be displayed once at the time of certificate issuance.
+ The **Certificate Body** and **Certificate Chain** will remain accessible and can be copied at any time.
+
+
+
diff --git a/docs/documentation/platform/pki/overview.mdx b/docs/documentation/platform/pki/overview.mdx
new file mode 100644
index 0000000000..259f15a5d6
--- /dev/null
+++ b/docs/documentation/platform/pki/overview.mdx
@@ -0,0 +1,12 @@
+---
+title: "Internal PKI"
+sidebarTitle: "Overview"
+description: "Learn how to create a Private CA hierarchy and issue X.509 certificates."
+---
+
+Infisical can be used to create a Private Certificate Authority (CA) hierarchy and issue X.509 certificates for internal use. This allows you to manage your own PKI infrastructure and issue digital certificates for services, applications, and devices.
+
+Infisical's internal PKI offering is split into two modules:
+
+- [Private CA](/documentation/platform/pki/private-ca): Infisical lets you create private CAs, including root and intermediary CAs.
+- [Certificates](/documentation/platform/pki/certificates): Infisical allows you to issue X.509 certificates using the private CAs you create.
diff --git a/docs/documentation/platform/pki/private-ca.mdx b/docs/documentation/platform/pki/private-ca.mdx
new file mode 100644
index 0000000000..78963ab5fa
--- /dev/null
+++ b/docs/documentation/platform/pki/private-ca.mdx
@@ -0,0 +1,106 @@
+---
+title: "Private CA"
+sidebarTitle: "Private CA"
+description: "Learn how to create a Private CA hierarchy with Infisical."
+---
+
+## Concept
+
+The first step to creating your Internal PKI is to create a Private Certificate Authority (CA) hierarchy that is a structure of entities
+used to issue digital certificates for services, applications, and devices.
+
+
+
+```mermaid
+graph TD
+ A[Root CA]
+ A --> B[Intermediate CA]
+ A --> C[Intermediate CA]
+```
+
+
+
+## Workflow
+
+A typical workflow for setting up a Private CA hierarchy consists of the following steps:
+
+1. Configuring a root CA with details like name, validity period, and path length.
+2. Configuring and chaining intermediate CA(s) with details like name, validity period, path length, and imported certificate.
+3. Managing the CA lifecycle events such as CA succession.
+
+
+ Note that this workflow can be executed via the Infisical UI or manually such
+ as via API. If manually executing the workflow, you may have to create a
+ Certificate Signing Request (CSR) for the intermediate CA, create an
+ intermediate certificate using the root CA private key and CSR, and import the
+ intermediate certificate back to the intermediate CA as part of Step 2.
+
+
+## Guide
+
+In the following steps, we explore how to create a simple Private CA hierarchy
+consisting of a root CA and an intermediate CA using the Infisical UI.
+
+
+
+ To create a root CA, head to your Project > Internal PKI > Certificate Authorities and press **Create CA**.
+
+ 
+
+ Here, set the **CA Type** to **Root** and fill out details for the root CA.
+
+ 
+
+ Here's some guidance on each field:
+
+ - Valid Until: The date until which the CA is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). For example, the following formats would be valid: `YYYY`, `YYYY-MM`, `YYYY-MM-DD`, `YYYY-MM-DDTHH:mm:ss.sssZ`.
+ - Path Length: The maximum number of intermediate CAs that can be chained to this CA. A path of `-1` implies no limit; a path of `0` implies no intermediate CAs can be chained.
+ - Organization (O): The organization name.
+ - Country (C): The country code.
+ - State or Province Name: The state or province.
+ - Locality Name: The city or locality.
+ - Common Name: The name of the CA.
+
+
+ The Organization, Country, State or Province Name, Locality Name, and Common Name make up the **Distinguished Name (DN)** or **subject** of the CA.
+ At least one of these fields must be filled out.
+
+
+
+ 1.1. To create an intermediate CA, press **Create CA** again but this time specifying the **CA Type** to be **Intermediate**. Fill out the details for the intermediate CA.
+
+ 
+
+ 1.2. Next, press the **Install Certificate** option on the intermediate CA from step 1.1.
+
+ 
+
+ Here, set the **Parent CA** to the root CA created in step 1 and configure the intended **Valid Until** and **Path Length** fields on the intermediate CA; feel free to use the prefilled values.
+
+ 
+
+ Here's some guidance on each field:
+
+ - Parent CA: The parent CA to which this intermediate CA will be chained. In this case, it should be the root CA created in step 1.
+ - Valid Until: The date until which the CA is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). The date must be within the validity period of the parent CA.
+ - Path Length: The maximum number of intermediate CAs that can be chained to this CA. The path length must be less than the path length of the parent CA.
+
+ Finally, press **Install** to chain the intermediate CA to the root CA; this creates a Certificate Signing Request (CSR) for the intermediate CA, creates an intermediate certificate using the root CA private key and CSR, and imports the signed certificate back to the intermediate CA.
+
+ 
+
+ Great! You've successfully created a Private CA hierarchy with a root CA and an intermediate CA.
+ Now check out the [Certificates](/documentation/platform/pki/certificates) page to learn more about how to issue X.509 certificates using the intermediate CA.
+
+
+
+
+## FAQ
+
+
+
+ Infisical currently only supports `RSA_2048` and `SHA256WITHRSA` for the
+ private key and signing algorithm. We are working to add support for more
+ algorithms in the future.
+
+
diff --git a/docs/images/platform/pki/ca-create-intermediate.png b/docs/images/platform/pki/ca-create-intermediate.png
new file mode 100644
index 0000000000..e52e5735c8
Binary files /dev/null and b/docs/images/platform/pki/ca-create-intermediate.png differ
diff --git a/docs/images/platform/pki/ca-create-root.png b/docs/images/platform/pki/ca-create-root.png
new file mode 100644
index 0000000000..3c954b833d
Binary files /dev/null and b/docs/images/platform/pki/ca-create-root.png differ
diff --git a/docs/images/platform/pki/ca-create.png b/docs/images/platform/pki/ca-create.png
new file mode 100644
index 0000000000..35096c721c
Binary files /dev/null and b/docs/images/platform/pki/ca-create.png differ
diff --git a/docs/images/platform/pki/ca-install-intermediate-opt.png b/docs/images/platform/pki/ca-install-intermediate-opt.png
new file mode 100644
index 0000000000..2bdcbf3069
Binary files /dev/null and b/docs/images/platform/pki/ca-install-intermediate-opt.png differ
diff --git a/docs/images/platform/pki/ca-install-intermediate.png b/docs/images/platform/pki/ca-install-intermediate.png
new file mode 100644
index 0000000000..ca30ad6ffd
Binary files /dev/null and b/docs/images/platform/pki/ca-install-intermediate.png differ
diff --git a/docs/images/platform/pki/cas.png b/docs/images/platform/pki/cas.png
new file mode 100644
index 0000000000..b532768e22
Binary files /dev/null and b/docs/images/platform/pki/cas.png differ
diff --git a/docs/images/platform/pki/cert-body.png b/docs/images/platform/pki/cert-body.png
new file mode 100644
index 0000000000..8ed67a7ec2
Binary files /dev/null and b/docs/images/platform/pki/cert-body.png differ
diff --git a/docs/images/platform/pki/cert-issue-modal.png b/docs/images/platform/pki/cert-issue-modal.png
new file mode 100644
index 0000000000..1516ab1cb4
Binary files /dev/null and b/docs/images/platform/pki/cert-issue-modal.png differ
diff --git a/docs/images/platform/pki/cert-issue.png b/docs/images/platform/pki/cert-issue.png
new file mode 100644
index 0000000000..6b3e5887b6
Binary files /dev/null and b/docs/images/platform/pki/cert-issue.png differ
diff --git a/docs/images/platform/pki/certs.png b/docs/images/platform/pki/certs.png
new file mode 100644
index 0000000000..4e1b499594
Binary files /dev/null and b/docs/images/platform/pki/certs.png differ
diff --git a/docs/mint.json b/docs/mint.json
index 5c5097d420..610f362c26 100644
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -32,10 +32,7 @@
"thumbsRating": true
},
"api": {
- "baseUrl": [
- "https://app.infisical.com",
- "http://localhost:8080"
- ]
+ "baseUrl": ["https://app.infisical.com", "http://localhost:8080"]
},
"topbarLinks": [
{
@@ -76,9 +73,7 @@
"documentation/getting-started/introduction",
{
"group": "Quickstart",
- "pages": [
- "documentation/guides/local-development"
- ]
+ "pages": ["documentation/guides/local-development"]
},
{
"group": "Guides",
@@ -107,6 +102,14 @@
"documentation/platform/webhooks"
]
},
+ {
+ "group": "Internal PKI",
+ "pages": [
+ "documentation/platform/pki/overview ",
+ "documentation/platform/pki/private-ca",
+ "documentation/platform/pki/certificates"
+ ]
+ },
{
"group": "Identities",
"pages": [
@@ -221,9 +224,7 @@
},
{
"group": "Reference architectures",
- "pages": [
- "self-hosting/reference-architectures/aws-ecs"
- ]
+ "pages": ["self-hosting/reference-architectures/aws-ecs"]
},
"self-hosting/ee",
"self-hosting/faq"
@@ -379,15 +380,11 @@
},
{
"group": "Build Tool Integrations",
- "pages": [
- "integrations/build-tools/gradle"
- ]
+ "pages": ["integrations/build-tools/gradle"]
},
{
"group": "",
- "pages": [
- "sdks/overview"
- ]
+ "pages": ["sdks/overview"]
},
{
"group": "SDK's",
@@ -405,9 +402,7 @@
"api-reference/overview/authentication",
{
"group": "Examples",
- "pages": [
- "api-reference/overview/examples/integration"
- ]
+ "pages": ["api-reference/overview/examples/integration"]
}
]
},
@@ -563,15 +558,11 @@
},
{
"group": "Service Tokens",
- "pages": [
- "api-reference/endpoints/service-tokens/get"
- ]
+ "pages": ["api-reference/endpoints/service-tokens/get"]
},
{
"group": "Audit Logs",
- "pages": [
- "api-reference/endpoints/audit-logs/export-audit-log"
- ]
+ "pages": ["api-reference/endpoints/audit-logs/export-audit-log"]
}
]
},
@@ -587,9 +578,7 @@
},
{
"group": "",
- "pages": [
- "changelog/overview"
- ]
+ "pages": ["changelog/overview"]
},
{
"group": "Contributing",
@@ -613,9 +602,7 @@
},
{
"group": "Contributing to SDK",
- "pages": [
- "contributing/sdk/developing"
- ]
+ "pages": ["contributing/sdk/developing"]
}
]
}
diff --git a/frontend/src/layouts/AppLayout/AppLayout.tsx b/frontend/src/layouts/AppLayout/AppLayout.tsx
index f982100d54..72351df88e 100644
--- a/frontend/src/layouts/AppLayout/AppLayout.tsx
+++ b/frontend/src/layouts/AppLayout/AppLayout.tsx
@@ -527,7 +527,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
}
icon="system-outline-90-lock-closed"
>
- Certificates
+ Internal PKI
@@ -645,9 +645,7 @@ export const AppLayout = ({ children }: LayoutProps) => {