github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-10 07:58:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add pki concepts docs

Browse Source
This commit is contained in:
Tuan Dang
2025-10-24 00:22:17 -07:00
parent 85dfdcc1bc
commit b7d38ab693
5 changed files with 104 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
docs/docs.json
View File

@@ -704,11 +704,28 @@
"item": "Infisical PKI",
"groups": [
{
"group": "Infisical PKI",
"group": "Certificate Management",
"pages": [
"documentation/platform/pki/overview",
"documentation/platform/pki/private-ca",
"documentation/platform/pki/external-ca",
{
"group": "Concepts",
"pages": [
"documentation/platform/pki/concepts/certificate-mgmt",
"documentation/platform/pki/concepts/certificate-lifecycle"
]
}
]
},
{
"group": "Product Reference",
"pages": [
{
"group": "Certificate Authorities",
"pages": [
"documentation/platform/pki/private-ca",
"documentation/platform/pki/external-ca"
]
},
"documentation/platform/pki/subscribers",
"documentation/platform/pki/certificates",
"documentation/platform/pki/acme-ca",

53
docs/documentation/platform/pki/concepts/certificate-lifecycle.mdx Normal file
View File

@@ -0,0 +1,53 @@
---
title: "Certificate Lifecycle"
description: "Learn what is the certificate lifecycle and how it works."
---
## Certificate Lifecycle
Typically, a certificate goes through a series of stages during its lifetime from creation to retirement. This is called the certificate lifecycle. The exact names of these stages may vary from vendor to vendor, but they typically include [discovery](/documentation/platform/pki/concepts/certificate-lifecycle#discovery), [enrollment](/documentation/platform/pki/concepts/certificate-lifecycle#enrollment), [deployment](/documentation/platform/pki/concepts/certificate-lifecycle#deployment), [renewal](/documentation/platform/pki/concepts/certificate-lifecycle#renewal), [revocation](/documentation/platform/pki/concepts/certificate-lifecycle#revocation), and [retirement](/documentation/platform/pki/concepts/certificate-lifecycle#retirement).
Note that not every stage is needed. For instance:
- You are not required to discover certificates in order to start issuing and managing them.
- You may not need to revoke a certificate explicitly if it expires naturally and is replaced during routine renewal.
## Discovery
Certificate discovery is the process of identifying all active and inactive certificates across an environment, including those found on web servers, load balancers, services, and devices. A complete inventory prevents outages from forgotten certificates and creates the foundation for automation and monitoring.
## Enrollment (Request / Issuance)
Certificate enrollment is the process of requesting a certificate from a CA and can follow different approaches depending on the system or protocol in use.
Common approaches to certificate enrollment include:
- CSR-based enrollment: The client generates a key pair locally and submits a Certificate Signing Request (CSR) to a CA for certificate issuance.
- CSR-less enrollment: The client requests a certificate directly from a CA which may handle key generation internally and return the key pair in the response.
Enrollment can be manually completed via API or fully automated using protocols like EST or ACME. The choice of enrollment method depends on security requirements, operational constraints, and integration context.
## Deployment
Certificate deployment involves installing the issued certificate on the appropriate systems and services, such as web servers, load balancers, or internal endpoints. It can also include distributing or synchronizing certificates to external systems like cloud key stores (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) so they can be securely consumed by workloads running in the cloud.
Deployment can happen manually or through automated mechanisms such as configuration pipelines, agents, or webhook integrations.
## Renewal
Certificate renewal is the process of requesting a new certificate from a CA before it expires to maintain trust and availability; this process can involve reusing the same key pair or rotating to a new one.
The renewal process can be server-driven or client-driven:
- Server-driven: Infisical automatically renews the certificate on your behalf. The renewed certificate is stored in the platform and can be synchronized to external systems such as cloud key stores.
- Client-driven: An external client, such as an agent or workload, initiates the renewal against Infisical. This is useful when key material needs to remain under client control or when rotation is tied to application-specific logic.
This flexibility allows certificates to be renewed in a way that aligns with different security, automation, and infrastructure models.
## Revocation
Certificate revocation is the process of invalidating a certificate to prevent it from being used. This is required when a certificate is compromised, misconfigured, or no longer needed. The CA signals this status to clients through CRLs or OCSP. A new certificate can be issued and deployed if needed.
## Retirement
Certificate retirement is the process of removing a certificate from the system. This is typically done when a certificate is no longer needed or has expired.

20
docs/documentation/platform/pki/concepts/certificate-mgmt.mdx Normal file
View File

@@ -0,0 +1,20 @@
---
title: "Certificate Management"
description: "Learn what is certificate management and why it matters for building secure systems."
---
## What is a Certificate?
A (digital) _certificate_ is a file that is tied to a cryptographic key pair and is used to verify the identity of a website, user, device, or service. It helps establish trust and secure, encrypted communication between systems.
For example, when you visit a website over HTTPS, your browser checks the TLS certificate deployed on the web server or load balancer to make sure its really the site it claims to be. If the certificate is valid, your browser establishes an encrypted connection with the server.
Certificates contain information about the subject (who it identifies), the public key, and a digital signature from the CA that issued the certificate. They also include additional fields such as key usages, validity periods, and extensions that define how and where the certificate can be used. When a certificate expires, the service presenting it is no longer trusted, and clients won't be able to establish a secure connection to the service.
## What is Certificate Management?
As infrastructure scales and systems become more distributed, certificates sprawl. Without proper visibility and automation in place, certificates scatter across IT infrastructure, creating blind spots that can lead to service outages when certificates aren't renewed in time.
To solve certificate sprawl and avoid outages, organizations rely on certificate management: the practice of centralizing and automating the certificate lifecycle from issuance through renewal and revocation.
A consistent approach makes it easier to keep certificates valid and trusted, reduce operational risk, and maintain secure communication across environments.

15
docs/documentation/platform/pki/overview.mdx
View File

@@ -4,10 +4,15 @@ sidebarTitle: "Overview"
description: "Learn how to create a Private CA hierarchy and issue X.509 certificates."
---
Infisical can be used to create and manage Certificate Authorities (CAs) and issue X.509 certificates. This allows you to manage PKI infrastructure and issue digital certificates for subscribers such as services, applications, and devices.
Infisical can be used to create and manage Certificate Authorities (CAs) and issue digital X.509 certificates. This allows you to manage PKI infrastructure and issue certificates for end-entities such as load balancers, web servers, devices, and more.
Infisical's PKI offering is split into three components:
It helps teams automate certificate management including enrollment and renewal, and adopt secure workflows to ensure certificates remain valid, trusted, and synchronized across infrastructure.
- [Certificate Authorities](/documentation/platform/pki/private-ca): Create and manage CAs, including root and intermediate CAs.
- [Subscribers](/documentation/platform/pki/subscribers): Define and manage entities that will request X.509 certificates from CAs. This module provides a centralized view of all subscribers, enabling you to issue certificates and monitor their status.
- [Certificates](/documentation/platform/pki/certificates): Track and monitor issued X.509 certificates, maintaining a comprehensive inventory of all active and expired certificates.
Core capabilities include:
- Private CA: Create and manage your own private CA hierarchy including root and intermediate CAs.
- External CA integration: Integrate with external public and private CAs including Azure ADCS and ACME-compatible CAs like Let's Encrypt and DigiCert.
- Certificate Enrollment: Support enrollment methods including API, ACME, EST, and more to automate certificate issuance for services, devices, and workloads.
- Certificate Inventory: Track and monitor issued X.509 certificates, maintaining a comprehensive inventory of all active and expired certificates.
- Certificate Lifecycle Automation: Automate issuance, renewal, and revocation with policy-based workflows, ensuring certificates remain valid, compliant, and up to date across your infrastructure.
- Certificate Syncs: Push certificates to cloud certificate managers like AWS Certificate Manager and Azure Key Vault.

2
docs/documentation/platform/secrets-mgmt/concepts/secrets-mgmt.mdx
View File

@@ -3,7 +3,7 @@ title: "Secrets Management"
description: "Learn what is secrets management and why it matters for building secure systems."
---
## What is Secret?
## What is a Secret?
A _secret_ is a confidential value used by an application such as database credential, API key, or other configuration.