github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-10 07:58:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add PKI docs for ACME Infrastructure Integrations

Browse Source
This commit is contained in:
Carlos Monastyrski
2025-11-13 21:48:19 -03:00
parent 3f68ec8016
commit 80d95effcc
9 changed files with 742 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/docs.json
View File

@@ -753,7 +753,12 @@
"group": "Infrastructure Integrations",
"pages": [
"documentation/platform/pki/pki-issuer",
"documentation/platform/pki/integration-guides/gloo-mesh"
"documentation/platform/pki/integration-guides/gloo-mesh",
"documentation/platform/pki/integration-guides/windows-server-acme",
"documentation/platform/pki/integration-guides/nginx-certbot",
"documentation/platform/pki/integration-guides/apache-certbot",
"documentation/platform/pki/integration-guides/tomcat-certbot",
"documentation/platform/pki/integration-guides/jboss-certbot"
]
},
{

132
docs/documentation/platform/pki/integration-guides/apache-certbot.mdx Normal file
View File

@@ -0,0 +1,132 @@
---
title: "Apache Server"
description: "Learn how to issue SSL/TLS certificates from Infisical PKI using ACME enrollment on Apache Server with Certbot"
---
This guide will provide a high level overview on how you can use [Infisical PKI](/documentation/platform/pki/overview) and Certbot to issue SSL/TLS certificates for your Apache web server environments using the [ACME protocol](/documentation/platform/pki/enrollment-methods/acme). For more background about the ACME protocol, see the [ACME specification (RFC 8555)](https://tools.ietf.org/html/rfc8555).
## Overview
Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates on manually-administrated websites to enable HTTPS. When configured with [Infisical PKI](/documentation/platform/pki/overview), Certbot can automatically obtain and install certificates from your private PKI infrastructure, providing seamless integration with Apache for automated certificate enrollment and renewal.
## Prerequisites
Before proceeding, ensure you have:
- An Apache web server running on a Linux system with administrative access
- A [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme) in Infisical
- Network connectivity from your Apache server to your Infisical instance
- Port 80 accessible for ACME HTTP-01 validation
## Guide
<Steps>
<Step title="Obtain ACME Configuration from Infisical">
Navigate to your Infisical PKI project and locate your [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme).
![Certificate profile with ACME enrollment option](/images/platform/pki/acme/certificate-profile-acme-option.png)
Click on Reveal ACME EAB option to open the ACME details modal.
![ACME configuration modal showing directory URL and EAB credentials](/images/platform/pki/acme/acme-configuration-modal.png)
From your certificate profile's ACME configuration, you'll need to collect three essential pieces of information:
1. **ACME Directory URL**: The ACME endpoint URL for your Infisical instance
- Format: `https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory`
2. **EAB Key Identifier (KID)**: External Account Binding key identifier
3. **EAB Secret**: External Account Binding secret key
<Note>
Keep your EAB credentials secure as they authenticate your ACME client with Infisical PKI. These credentials are unique to each [certificate profile](/documentation/platform/pki/certificates/profiles) and should not be shared.
</Note>
</Step>
<Step title="Install Certbot">
Install Certbot with the Apache plugin on your server by following the official installation instructions:
Visit the [Certbot installation guide](https://certbot.eff.org/instructions) and select your web server (Apache) and operating system for detailed installation steps specific to your environment.
For most Ubuntu/Debian systems, you can use:
```bash
sudo apt install certbot python3-certbot-apache
```
The installation guide provides up-to-date instructions for various Linux distributions and package managers, ensuring you get the most current version and proper Apache plugin integration.
After installation, verify that Certbot is working correctly:
```bash
certbot --version
```
</Step>
<Step title="Request Certificate Using Certbot">
Use Certbot with your Infisical ACME configuration to request a certificate:
```bash
sudo certbot certonly \
--apache \
--server "https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory" \
--eab-kid "your-eab-key-identifier" \
--eab-hmac-key "your-eab-secret" \
-d example.infisical.com \
--email admin@example.com \
--agree-tos \
--non-interactive
```
**Parameter breakdown:**
- `certonly`: Obtain certificate without installing it
- `--apache`: Use Apache plugin for domain validation
- `--server`: Your Infisical ACME directory URL
- `--eab-kid`: Your EAB key identifier from Infisical
- `--eab-hmac-key`: Your EAB secret from Infisical
- `-d`: Domain name for your certificate
- `--email`: Contact email for important account notifications
- `--agree-tos`: Agree to ACME server's Terms of Service
- `--non-interactive`: Run in non-interactive mode
<Note>
Replace the placeholder values with your actual configuration:
- `https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory`: Your Infisical ACME endpoint
- `your-eab-key-identifier` and `your-eab-secret`: Your External Account Binding credentials
- `example.infisical.com`: Your actual domain name
- `admin@example.com`: Your contact email
</Note>
</Step>
<Step title="Configure Automatic Renewal">
Certbot can automatically renew certificates. Test the renewal process manually:
```bash
sudo certbot renew --dry-run
```
Manual renewal process:
```bash
sudo certbot renew --post-hook "systemctl reload apache2"
```
<Note>
Certbot can be configured for automatic renewal using systemd timers (`sudo systemctl enable certbot.timer`) or cron jobs. Certbot stores all configuration from the initial request, so renewals will automatically use the same Infisical [ACME endpoint](/documentation/platform/pki/enrollment-methods/acme) and EAB credentials.
</Note>
</Step>
<Step title="Verify Certificate Installation">
Check that certificate files were created:
```bash
sudo ls -la /etc/letsencrypt/live/example.infisical.com/
```
You should see:
- `cert.pem` (leaf certificate)
- `chain.pem` (intermediate certificate)
- `fullchain.pem` (leaf + intermediate certificates)
- `privkey.pem` (private key)
</Step>
</Steps>

170
docs/documentation/platform/pki/integration-guides/jboss-certbot.mdx Normal file
View File

@@ -0,0 +1,170 @@
---
title: "JBoss/WildFly"
description: "Learn how to issue SSL/TLS certificates from Infisical PKI using ACME enrollment on JBoss/WildFly with Certbot"
---
This guide will provide a high level overview on how you can use [Infisical PKI](/documentation/platform/pki/overview) and Certbot to issue SSL/TLS certificates for your JBoss/WildFly application server environments using the [ACME protocol](/documentation/platform/pki/enrollment-methods/acme). For more background about the ACME protocol, see the [ACME specification (RFC 8555)](https://tools.ietf.org/html/rfc8555).
## Overview
Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates on manually-administrated websites to enable HTTPS. When configured with [Infisical PKI](/documentation/platform/pki/overview), Certbot can automatically obtain certificates from your private PKI infrastructure. JBoss/WildFly requires certificates to be converted to Java keystore format and configured through either the legacy security realms or modern Elytron subsystem.
## Prerequisites
Before proceeding, ensure you have:
- A JBoss/WildFly application server running on a Linux system with administrative access
- A [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme) in Infisical
- Network connectivity from your JBoss/WildFly server to your Infisical instance
- Port 80 accessible for ACME HTTP-01 validation (JBoss/WildFly should be stopped during certificate issuance)
- Java Development Kit (JDK) installed for keystore management tools
## Guide
<Steps>
<Step title="Obtain ACME Configuration from Infisical">
Navigate to your Infisical PKI project and locate your [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme).
![Certificate profile with ACME enrollment option](/images/platform/pki/acme/certificate-profile-acme-option.png)
Click on Reveal ACME EAB option to open the ACME details modal.
![ACME configuration modal showing directory URL and EAB credentials](/images/platform/pki/acme/acme-configuration-modal.png)
From your certificate profile's ACME configuration, you'll need to collect three essential pieces of information:
1. **ACME Directory URL**: The ACME endpoint URL for your Infisical instance
- Format: `https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory`
2. **EAB Key Identifier (KID)**: External Account Binding key identifier
3. **EAB Secret**: External Account Binding secret key
<Note>
Keep your EAB credentials secure as they authenticate your ACME client with Infisical PKI. These credentials are unique to each [certificate profile](/documentation/platform/pki/certificates/profiles) and should not be shared.
</Note>
</Step>
<Step title="Install Certbot">
Install Certbot on your JBoss/WildFly server by following the official installation instructions:
Visit the [Certbot installation guide](https://certbot.eff.org/instructions) and select your operating system for detailed installation steps.
For most Ubuntu/Debian systems, you can use:
```bash
sudo apt install certbot
```
The installation guide provides up-to-date instructions for various Linux distributions and package managers.
After installation, verify that Certbot is working correctly:
```bash
certbot --version
```
</Step>
<Step title="Request Certificate Using Certbot">
Since JBoss/WildFly doesn't have a native Certbot plugin, use the standalone authenticator to obtain certificates. **Important**: Stop JBoss/WildFly before running this command as Certbot needs to bind to port 80.
```bash
sudo systemctl stop wildfly
# or for older JBoss versions
# sudo systemctl stop jboss
```
Then request the certificate:
```bash
sudo certbot certonly \
--standalone \
--server "https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory" \
--eab-kid "your-eab-key-identifier" \
--eab-hmac-key "your-eab-secret" \
-d example.infisical.com \
--email admin@example.com \
--agree-tos \
--non-interactive
```
**Parameter breakdown:**
- `certonly`: Obtain certificate without installing it
- `--standalone`: Use standalone authenticator (requires port 80)
- `--server`: Your Infisical ACME directory URL
- `--eab-kid`: Your EAB key identifier from Infisical
- `--eab-hmac-key`: Your EAB secret from Infisical
- `-d`: Domain name for your certificate
- `--email`: Contact email for important account notifications
- `--agree-tos`: Agree to ACME server's Terms of Service
- `--non-interactive`: Run in non-interactive mode
<Note>
Replace the placeholder values with your actual configuration:
- `https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory`: Your Infisical ACME endpoint
- `your-eab-key-identifier` and `your-eab-secret`: Your External Account Binding credentials
- `example.infisical.com`: Your actual domain name
- `admin@example.com`: Your contact email
</Note>
</Step>
<Step title="Convert Certificate to Java Keystore">
JBoss/WildFly requires certificates in Java keystore format. Convert the PEM certificates obtained from Certbot:
**Create PKCS#12 keystore from PEM files:**
```bash
sudo openssl pkcs12 -export \
-out /opt/wildfly/standalone/configuration/keystore.p12 \
-inkey /etc/letsencrypt/live/example.infisical.com/privkey.pem \
-in /etc/letsencrypt/live/example.infisical.com/cert.pem \
-certfile /etc/letsencrypt/live/example.infisical.com/chain.pem \
-passout pass:changeit
```
**Set appropriate permissions:**
```bash
sudo chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore.p12
sudo chmod 600 /opt/wildfly/standalone/configuration/keystore.p12
```
<Note>
Replace `changeit` with a strong password and adjust the WildFly installation path if different. Modern WildFly versions support PKCS#12 keystores directly, while older versions may require conversion to JKS format using keytool.
</Note>
</Step>
<Step title="Configure Automatic Renewal">
To renew certificates, you can test the renewal process manually:
```bash
sudo certbot renew --dry-run
```
Manual renewal process:
```bash
sudo systemctl stop wildfly
sudo certbot renew --quiet
# Convert certificates to keystore format and restart WildFly
sudo systemctl start wildfly
```
<Note>
Since JBoss/WildFly requires certificate format conversion, automatic renewal requires a custom script. For production environments, consider creating a cron job that stops the server, renews certificates, converts them to keystore format, and restarts the server.
</Note>
</Step>
<Step title="Verify Certificate Installation">
After successful certificate installation, check that certificate files were created:
```bash
sudo ls -la /etc/letsencrypt/live/example.infisical.com/
```
You should see:
- `cert.pem` (leaf certificate)
- `chain.pem` (intermediate certificate)
- `fullchain.pem` (leaf + intermediate certificates)
- `privkey.pem` (private key)
</Step>
</Steps>

112
docs/documentation/platform/pki/integration-guides/nginx-certbot.mdx Normal file
View File

@@ -0,0 +1,112 @@
---
title: "NGINX"
description: "Learn how to issue SSL/TLS certificates from Infisical PKI using ACME enrollment on NGINX with Certbot"
---
This guide will provide a high level overview on how you can use [Infisical PKI](/documentation/platform/pki/overview) and Certbot to issue SSL/TLS certificates for your NGINX web server environments using the [ACME protocol](/documentation/platform/pki/enrollment-methods/acme). For more background about the ACME protocol, see the [ACME specification (RFC 8555)](https://tools.ietf.org/html/rfc8555).
## Overview
Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates on manually-administrated websites to enable HTTPS. When configured with [Infisical PKI](/documentation/platform/pki/overview), Certbot can automatically obtain and install certificates from your private PKI infrastructure, providing seamless integration with NGINX for automated certificate enrollment and renewal.
## Prerequisites
Before proceeding, ensure you have:
- An NGINX web server running on a Linux system with administrative access
- A [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme) in Infisical
- Network connectivity from your NGINX server to your Infisical instance
- Port 80 accessible for ACME HTTP-01 validation
## Guide
<Steps>
<Step title="Obtain ACME Configuration from Infisical">
Navigate to your Infisical PKI project and locate your [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme).
![Certificate profile with ACME enrollment option](/images/platform/pki/acme/certificate-profile-acme-option.png)
Click on Reveal ACME EAB option to open the ACME details modal.
![ACME configuration modal showing directory URL and EAB credentials](/images/platform/pki/acme/acme-configuration-modal.png)
From your certificate profile's ACME configuration, you'll need to collect three essential pieces of information:
1. **ACME Directory URL**: The ACME endpoint URL for your Infisical instance
- Format: `https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory`
2. **EAB Key Identifier (KID)**: External Account Binding key identifier
3. **EAB Secret**: External Account Binding secret key
<Note>
Keep your EAB credentials secure as they authenticate your ACME client with Infisical PKI. These credentials are unique to each [certificate profile](/documentation/platform/pki/certificates/profiles) and should not be shared.
</Note>
</Step>
<Step title="Install Certbot">
Install Certbot on your NGINX server by following the official installation instructions:
Visit the [Certbot installation guide](https://certbot.eff.org/instructions) and select your web server (NGINX) and operating system for detailed installation steps specific to your environment.
The installation guide provides up-to-date instructions for various Linux distributions and package managers, ensuring you get the most current version and proper NGINX plugin integration.
After installation, verify that Certbot is working correctly:
```bash
certbot --version
```
</Step>
<Step title="Request Certificate Using Certbot">
Use Certbot with your Infisical ACME configuration to request a certificate:
```bash
sudo certbot certonly \
--nginx \
--server "https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory" \
--eab-kid "your-eab-key-identifier" \
--eab-hmac-key "your-eab-secret" \
-d example.infisical.com \
--email admin@example.com \
--agree-tos \
--non-interactive
```
**Parameter breakdown:**
- `certonly`: Obtain certificate without installing it
- `--nginx`: Use NGINX plugin for domain validation
- `--server`: Your Infisical ACME directory URL
- `--eab-kid`: Your EAB key identifier from Infisical
- `--eab-hmac-key`: Your EAB secret from Infisical
- `-d`: Domain name for your certificate
- `--email`: Contact email for important account notifications
- `--agree-tos`: Agree to ACME server's Terms of Service
- `--non-interactive`: Run in non-interactive mode
<Note>
Replace the placeholder values with your actual configuration:
- `https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory`: Your Infisical ACME endpoint
- `your-eab-key-identifier` and `your-eab-secret`: Your External Account Binding credentials
- `example.infisical.com`: Your actual domain name
- `admin@example.com`: Your contact email
</Note>
</Step>
<Step title="Configure Automatic Renewal">
Certbot can automatically renew certificates. Test the renewal process manually:
```bash
sudo certbot renew --dry-run
```
Manual renewal process:
```bash
sudo certbot renew --post-hook "systemctl reload nginx"
```
<Note>
Certbot can be configured for automatic renewal using systemd timers (`sudo systemctl enable certbot.timer`) or cron jobs. Certbot stores all configuration from the initial request, so renewals will automatically use the same Infisical [ACME endpoint](/documentation/platform/pki/enrollment-methods/acme) and EAB credentials.
</Note>
</Step>
</Steps>

141
docs/documentation/platform/pki/integration-guides/tomcat-certbot.mdx Normal file
View File

@@ -0,0 +1,141 @@
---
title: "Tomcat"
description: "Learn how to issue SSL/TLS certificates from Infisical PKI using ACME enrollment on Tomcat with Certbot"
---
This guide will provide a high level overview on how you can use [Infisical PKI](/documentation/platform/pki/overview) and Certbot to issue SSL/TLS certificates for your Tomcat application server environments using the [ACME protocol](/documentation/platform/pki/enrollment-methods/acme). For more background about the ACME protocol, see the [ACME specification (RFC 8555)](https://tools.ietf.org/html/rfc8555).
## Overview
Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates on manually-administrated websites to enable HTTPS. When configured with [Infisical PKI](/documentation/platform/pki/overview), Certbot can automatically obtain certificates from your private PKI infrastructure. Unlike Apache and NGINX, Tomcat doesn't have a native Certbot plugin, so certificates need to be obtained using the standalone authenticator and manually configured in Tomcat.
## Prerequisites
Before proceeding, ensure you have:
- A Tomcat application server running on a Linux system with administrative access
- A [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme) in Infisical
- Network connectivity from your Tomcat server to your Infisical instance
- Port 80 accessible for ACME HTTP-01 validation (Tomcat should be stopped during certificate issuance)
## Guide
<Steps>
<Step title="Obtain ACME Configuration from Infisical">
Navigate to your Infisical PKI project and locate your [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme).
![Certificate profile with ACME enrollment option](/images/platform/pki/acme/certificate-profile-acme-option.png)
Click on Reveal ACME EAB option to open the ACME details modal.
![ACME configuration modal showing directory URL and EAB credentials](/images/platform/pki/acme/acme-configuration-modal.png)
From your certificate profile's ACME configuration, you'll need to collect three essential pieces of information:
1. **ACME Directory URL**: The ACME endpoint URL for your Infisical instance
- Format: `https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory`
2. **EAB Key Identifier (KID)**: External Account Binding key identifier
3. **EAB Secret**: External Account Binding secret key
<Note>
Keep your EAB credentials secure as they authenticate your ACME client with Infisical PKI. These credentials are unique to each [certificate profile](/documentation/platform/pki/certificates/profiles) and should not be shared.
</Note>
</Step>
<Step title="Install Certbot">
Install Certbot on your Tomcat server by following the official installation instructions:
Visit the [Certbot installation guide](https://certbot.eff.org/instructions) and select your operating system for detailed installation steps.
For most Ubuntu/Debian systems, you can use:
```bash
sudo apt install certbot
```
The installation guide provides up-to-date instructions for various Linux distributions and package managers.
After installation, verify that Certbot is working correctly:
```bash
certbot --version
```
</Step>
<Step title="Request Certificate Using Certbot">
Since Tomcat doesn't have a native Certbot plugin, use the standalone authenticator to obtain certificates. **Important**: Stop Tomcat before running this command as Certbot needs to bind to port 80.
```bash
sudo systemctl stop tomcat
```
Then request the certificate:
```bash
sudo certbot certonly \
--standalone \
--server "https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory" \
--eab-kid "your-eab-key-identifier" \
--eab-hmac-key "your-eab-secret" \
-d example.infisical.com \
--email admin@example.com \
--agree-tos \
--non-interactive
```
**Parameter breakdown:**
- `certonly`: Obtain certificate without installing it
- `--standalone`: Use standalone authenticator (requires port 80)
- `--server`: Your Infisical ACME directory URL
- `--eab-kid`: Your EAB key identifier from Infisical
- `--eab-hmac-key`: Your EAB secret from Infisical
- `-d`: Domain name for your certificate
- `--email`: Contact email for important account notifications
- `--agree-tos`: Agree to ACME server's Terms of Service
- `--non-interactive`: Run in non-interactive mode
<Note>
Replace the placeholder values with your actual configuration:
- `https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory`: Your Infisical ACME endpoint
- `your-eab-key-identifier` and `your-eab-secret`: Your External Account Binding credentials
- `example.infisical.com`: Your actual domain name
- `admin@example.com`: Your contact email
</Note>
</Step>
<Step title="Configure Automatic Renewal">
To renew certificates, you can test the renewal process manually:
```bash
sudo certbot renew --dry-run
```
Manual renewal process:
```bash
sudo systemctl stop tomcat
sudo certbot renew --quiet
# Copy certificates to Tomcat configuration directory and restart
sudo systemctl start tomcat
```
<Note>
Since Tomcat requires manual certificate file copying, automatic renewal requires a custom script. For production environments, consider creating a cron job that stops the server, renews certificates, copies them to the configuration directory, and restarts the server.
</Note>
</Step>
<Step title="Verify Certificate Installation">
After successful certificate installation, check that certificate files were created:
```bash
sudo ls -la /etc/letsencrypt/live/example.infisical.com/
```
You should see:
- `cert.pem` (leaf certificate)
- `chain.pem` (intermediate certificate)
- `fullchain.pem` (leaf + intermediate certificates)
- `privkey.pem` (private key)
</Step>
</Steps>

181
docs/documentation/platform/pki/integration-guides/windows-server-acme.mdx Normal file
View File

@@ -0,0 +1,181 @@
---
title: "Windows Server"
description: "Learn how to issue SSL/TLS certificates from Infisical PKI using ACME enrollment on Windows Server with win-acme"
---
This guide will provide a high level overview on how you can use [Infisical PKI](/documentation/platform/pki/overview) and win-acme to issue SSL/TLS certificates for your Windows Server environments using the [ACME protocol](/documentation/platform/pki/enrollment-methods/acme). For more background about the ACME protocol, see the [ACME specification (RFC 8555)](https://tools.ietf.org/html/rfc8555).
## Overview
Win-acme is a feature-rich ACME client designed specifically for Windows environments, offering seamless integration with IIS, Windows Certificate Store, and various other certificate storage options. This integration enables Windows Server environments to leverage Infisical's certificate management capabilities with automated certificate enrollment and renewal.
## Prerequisites
Before proceeding, ensure you have:
- A Windows Server instance running with administrative access
- A [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme) in Infisical
- Network connectivity from Windows Server to your Infisical instance
## Guide
<Steps>
<Step title="Obtain ACME Configuration from Infisical">
Navigate to your Infisical PKI project and locate your [certificate profile](/documentation/platform/pki/certificates/profiles) configured for [ACME enrollment](/documentation/platform/pki/enrollment-methods/acme).
![Certificate profile with ACME enrollment option](/images/platform/pki/acme/certificate-profile-acme-option.png)
Click on Reveal ACME EAB option to open the ACME details modal.
![ACME configuration modal showing directory URL and EAB credentials](/images/platform/pki/acme/acme-configuration-modal.png)
<Note>
Keep your EAB credentials secure as they authenticate your ACME client with Infisical PKI. These credentials are unique to each [certificate profile](/documentation/platform/pki/certificates/profiles) and should not be shared.
</Note>
</Step>
<Step title="Install win-acme">
Download and install win-acme on your Windows Server using one of the following methods
<Tabs>
<Tab title="Download from GitHub">
1. Visit the [win-acme releases page](https://github.com/win-acme/win-acme/releases)
2. Download the latest stable release ZIP file
3. Extract the contents to a folder (e.g., `C:\win-acme`)
4. Open Command Prompt or PowerShell as Administrator
5. Navigate to the win-acme folder
```powershell
cd C:\win-acme
```
</Tab>
<Tab title=".NET Tool (Global Install)">
If you have .NET Core installed, you can install win-acme as a global tool:
```powershell
dotnet tool install win-acme --global
```
This makes `wacs` command available system-wide.
</Tab>
</Tabs>
</Step>
<Step title="Request Certificate Using Command Line">
Use the following win-acme command structure to request a certificate from Infisical PKI:
```powershell
wacs.exe --target manual --host <your-certificate-dns> --baseuri "<ACME Directory URL>" --eab-key-identifier "<EAB KID>" --eab-key "<EAB Secret>" --validation selfhosting --store pemfiles --pemfilespath "<your-folder-path>" --verbose
```
**Parameter breakdown:**
- `--target manual`: Specifies manual target configuration
- `--host <domain>`: The domain name for your certificate
- `--baseuri`: Your Infisical ACME directory URL
- `--eab-key-identifier`: Your EAB key identifier from Infisical
- `--eab-key`: Your EAB secret from Infisical
- `--validation selfhosting`: Uses self-hosting validation method
- `--store pemfiles`: Stores certificates as PEM files
- `--pemfilespath`: Directory where certificates will be saved
- `--verbose`: Enables detailed logging
<Note>
Replace the placeholder values with your actual configuration:
- `<your-certificate-dns>`: Your actual domain name
- `<ACME Directory URL>`: Your Infisical ACME endpoint
- `<EAB KID>` and `<EAB Secret>`: Your External Account Binding credentials
- `<your-folder-path>`: Desired certificate storage location
</Note>
</Step>
<Step title="Alternative Storage Options">
Win-acme supports various certificate storage options. Here are common alternatives to PEM files:
<Tabs>
<Tab title="Windows Certificate Store">
Store certificates directly in the Windows Certificate Store:
```powershell
wacs.exe --target manual --host example.infisical.com --baseuri "<ACME Directory URL>" --eab-key-identifier "<EAB KID>" --eab-key "<EAB Secret>" --validation selfhosting --store certificatestore --verbose
```
</Tab>
<Tab title="PFX Files">
Generate PFX files with password protection:
```powershell
wacs.exe --target manual --host example.infisical.com --baseuri "<ACME Directory URL>" --eab-key-identifier "<EAB KID>" --eab-key "<EAB Secret>" --validation selfhosting --store pfxfile --pfxfilepath "C:\certificates" --pfxpassword "your-secure-password" --verbose
```
</Tab>
<Tab title="IIS Central SSL">
For IIS Central SSL store integration:
```powershell
wacs.exe --target manual --host example.infisical.com --baseuri "<ACME Directory URL>" --eab-key-identifier "<EAB KID>" --eab-key "<EAB Secret>" --validation selfhosting --store centralssl --centralsslstore "C:\CentralSSL" --verbose
```
</Tab>
</Tabs>
</Step>
<Step title="Configure Automatic Renewal">
Win-acme can automatically create a Windows Scheduled Task for certificate renewal.
**Option 1: Enable during initial certificate request**
Include the `--setuptaskscheduler` parameter in your initial command:
```powershell
wacs.exe --target manual --host example.infisical.com --baseuri "<ACME Directory URL>" --eab-key-identifier "<EAB KID>" --eab-key "<EAB Secret>" --validation selfhosting --store pemfiles --pemfilespath "C:\certificates" --setuptaskscheduler --verbose
```
**Option 2: Test manual renewal**
You can test the renewal process manually before setting up automation:
```powershell
wacs.exe --renew --force --verbose
```
**Option 3: Verify scheduled task creation**
Check that the scheduled task was created successfully:
```powershell
Get-ScheduledTask -TaskName "*win-acme*"
```
The task will:
- Run under the SYSTEM account
- Check certificates daily for renewal eligibility
- Automatically renew certificates that are within the renewal threshold
- Log renewal activities to Windows Event Viewer and log files
<Note>
Win-acme stores renewal configurations automatically, so once a certificate is created, the renewal process will use the same parameters (ACME endpoint, EAB credentials, storage options) for future renewals.
</Note>
</Step>
<Step title="Verify Certificate Installation">
After successful certificate issuance, verify the certificate files are created:
<Tabs>
<Tab title="PEM Files">
Check your specified PEM files directory:
```powershell
Get-ChildItem "C:\certificates" -Filter "*.pem"
```
You should see files like:
- `example.infisical.com-crt.pem` (certificate)
- `example.infisical.com-key.pem` (private key)
- `example.infisical.com-chain.pem` (complete certificate chain)
- `example.infisical.com-chain-only.pem` (only certificate chain)
![Windows Server Generated PEM files](/images/platform/pki/integrations/windows-server/certificates-created.png)
</Tab>
<Tab title="Windows Certificate Store">
Check the certificate store using PowerShell:
```powershell
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*example.infisical.com*"}
```
</Tab>
</Tabs>
</Step>
</Steps>

BIN
docs/images/platform/pki/acme/acme-configuration-modal.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 294 KiB

BIN
docs/images/platform/pki/acme/certificate-profile-acme-option.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 329 KiB

BIN
docs/images/platform/pki/integrations/windows-server/certificates-created.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 587 KiB