github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-10 07:58:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

finish updating ca docs

Browse Source
This commit is contained in:
Tuan Dang
2025-10-29 12:43:28 -07:00
parent a76d013ce0
commit c4c4ff4086
13 changed files with 128 additions and 208 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/docs.json
View File

@@ -722,8 +722,18 @@
{
"group": "Certificate Authorities",
"pages": [
"documentation/platform/pki/private-ca",
"documentation/platform/pki/external-ca"
"documentation/platform/pki/ca/overview",
"documentation/platform/pki/ca/private-ca",
"documentation/platform/pki/ca/external-ca"
]
},
{
"group": "Certificates",
"pages": [
"documentation/platform/pki/certificates/overview",
"documentation/platform/pki/certificates/profiles",
"documentation/platform/pki/certificates/templates",
"documentation/platform/pki/certificates/certificates"
]
},
"documentation/platform/pki/subscribers",
@@ -750,8 +760,8 @@
{
"group": "CA Integrations",
"pages": [
"documentation/platform/pki/acme-ca",
"documentation/platform/pki/azure-adcs"
"documentation/platform/pki/ca/acme-ca",
"documentation/platform/pki/ca/azure-adcs"
]
}
]
@@ -2939,6 +2949,22 @@
{
"source": "/sdks/languages/csharp",
"destination": "/sdks/languages/dotnet"
},
{
"source": "/documentation/platform/pki/private-ca",
"destination": "/documentation/platform/pki/ca/private-ca"
},
{
"source": "/documentation/platform/pki/external-ca",
"destination": "/documentation/platform/pki/ca/external-ca"
},
{
"source": "/documentation/platform/pki/acme-ca",
"destination": "/documentation/platform/pki/ca/acme-ca"
},
{
"source": "/documentation/platform/pki/azure-adcs",
"destination": "/documentation/platform/pki/ca/azure-adcs"
}
]
}

0
docs/documentation/platform/pki/acme-ca.mdx → docs/documentation/platform/pki/ca/acme-ca.mdx
View File

0
docs/documentation/platform/pki/azure-adcs.mdx → docs/documentation/platform/pki/ca/azure-adcs.mdx
View File

50
docs/documentation/platform/pki/ca/external-ca.mdx Normal file
View File

@@ -0,0 +1,50 @@
---
title: "External CA"
sidebarTitle: "External CA"
description: "Learn how to connect External Certificate Authorities with Infisical."
---
## Concept
Infisical lets you integrate with External Certificate Authorities (CAs), allowing you to use existing PKI infrastructure or connect to public CAs to issue digital certificates for your end-entities.
<div align="center">
```mermaid
graph TD
A1[External Public CA<br>e.g. Let's Encrypt, ZeroSSL, ...] --> Infisical
A2[External Private CA<br>e.g. AWS Private CA, HashiCorp Vault PKI, ...] --> Infisical
```
</div>
As shown above, these CAs commonly fall under two categories:
- External Private CAs: CAs like AWS Private CA, HashiCorp Vault PKI, Azure ADCS, etc. that are privately owned and are used to issue certificates for internal services; these are often either cloud-hosted private CAs or on-prem / enterprise CAs.
- External Public CAs: CAs like Let's Encrypt, DigiCert, GlobalSign, etc. that are publicly trusted and are used to issue certificates for public-facing services.
Note that Infisical can also act as an _ACME client_, allowing you to integrate upstream with any ACME-compatible CA to automate certificate issuance and renewal.
## Workflow
A typical workflow for integrating an External CA with Infisical consists of choosing the desired External CA type
and specifying the configuration or connection details necessary to connect to the CA.
The specific steps and requirements vary depending on the External CA type you choose to integrate.
## Supported External CA Types
Infisical currently supports the following External CA types out of the box:
- [ACME CA](/documentation/platform/pki/ca/acme-ca): An ACME-compatible CA that supports the ACME protocol, such as Let's Encrypt, ZeroSSL, Buypass, Digicert, etc.
- [Azure ADCS](/documentation/platform/pki/ca/azure-adcs): A Microsoft Active Directory Certificate Services (ADCS) that supports the ADCS protocol, such as AWS Private CA, Azure ADCS, etc.
If you dont see a specific external CA listed here or need a dedicated integration guide, please reach out to sales@infisical.com and well help you set up the integration for your external CA.
## FAQ
<AccordionGroup>
<Accordion title="Can I use both Private CAs and External CAs in the same project?">
Yes. You can have both Private and External CAs in the same project.
</Accordion>
</AccordionGroup>

13
docs/documentation/platform/pki/ca/overview.mdx Normal file
View File

@@ -0,0 +1,13 @@
---
title: "Overview"
sidebarTitle: "Overview"
---
Before issuing and managing certificates with Infisical, you'll need to configure a Certificate Authority (CA).
This is the trusted entity that signs and validates the X.509 certificates used to secure your end-entities.
Infisical supports two categories of CAs:
- [Internal CA](/documentation/platform/pki/ca/private-ca): Internally operated root and intermediate CAs managed within Infisical. This is useful if you need complete control over your PKI and are issuing certificates for private networks, internal services, or managed devices.
- [External CA](/documentation/platform/pki/ca/external-ca): Third-party public (e.g. Let's Encrypt, DigiCert) or private (e.g. AWS Private CA, HashiCorp Vault PKI, etc.) CAs that can be integrated with Infisical. This is useful if you want to leverage existing PKI infrastructure or issue publicly trusted certificates.

17
docs/documentation/platform/pki/private-ca.mdx → docs/documentation/platform/pki/ca/private-ca.mdx
View File

@@ -1,13 +1,12 @@
---
title: "Private CA"
sidebarTitle: "Private CA"
title: "Internal CA"
sidebarTitle: "Internal CA"
description: "Learn how to create a Private CA hierarchy with Infisical."
---
## Concept
The first step to creating your Internal PKI is to create a Private Certificate Authority (CA) hierarchy that is a structure of entities
used to issue digital certificates for your [subscribers](/documentation/platform/pki/subscribers).
Infisical lets you build your Internal PKI through a Private Certificate Authority (CA) hierarchy, enabling you to issue and manage digital certificates for your end-entities.
<div align="center">
@@ -47,7 +46,7 @@ consisting of an (optional) root CA and an intermediate CA.
<Step title="Creating a root CA">
If you wish to use an external root CA, you can skip this step and head to step 2 to create an intermediate CA.
To create a root CA, head to your Project > Internal PKI > Certificate Authorities and press **Create CA**.
To create a root CA, head to your Certificate Management Project > Certificate Authorities > Internal Certificate Authorities and press **Create CA**.
![pki create ca](/images/platform/pki/ca/ca-create.png)
@@ -55,18 +54,17 @@ consisting of an (optional) root CA and an intermediate CA.
![pki create root ca](/images/platform/pki/ca/ca-create-root.png)
Here's some guidance on each field:
Here's some guidance for each field:
- Valid Until: The date until which the CA is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). For example, the following formats would be valid: `YYYY`, `YYYY-MM`, `YYYY-MM-DD`, `YYYY-MM-DDTHH:mm:ss.sssZ`.
- Path Length: The maximum number of intermediate CAs that can be chained to this CA. A path of `-1` implies no limit; a path of `0` implies no intermediate CAs can be chained.
- Key Algorithm: The type of public key algorithm and size, in bits, of the key pair that the CA creates when it issues a certificate. Supported key algorithms are `RSA 2048`, `RSA 4096`, `ECDSA P-256`, and `ECDSA P-384` with the default being `RSA 2048`.
- Friendly Name: A friendly name for the CA; this is only for display and defaults to the subject of the CA if left empty.
- Name: A slug-friendly name for the CA.
- Organization (O): The organization name.
- Country (C): The country code.
- State or Province Name: The state or province.
- Locality Name: The city or locality.
- Common Name: The name of the CA.
- Require Template for Certificate Issuance: Whether or not certificates for this CA can only be issued through certificate templates (recommended).
<Note>
The Organization, Country, State or Province Name, Locality Name, and Common Name make up the **Distinguished Name (DN)** or **subject** of the CA.
@@ -98,8 +96,7 @@ consisting of an (optional) root CA and an intermediate CA.
![pki cas](/images/platform/pki/ca/cas.png)
Great! You've successfully created a Private CA hierarchy with a root CA and an intermediate CA.
Now check out the [Subscribers](/documentation/platform/pki/subscribers) page to learn more about how to issue X.509 certificates using the intermediate CA.
Great! You've successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates section to learn more about how to issue X.509 certificates using the intermediate CA.
2.3b. If you have an external root CA, select **External CA** for the **Parent CA Type** field.

4
docs/documentation/platform/pki/certificates/certificates.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Certificates"
sidebarTitle: "Certificates"
---

14
docs/documentation/platform/pki/certificates/overview.mdx Normal file
View File

@@ -0,0 +1,14 @@
---
title: "Overview"
sidebarTitle: "Overview"
---
To issue a certificate with Infisical, you'll need to create a certificate profile and a certificate template to go along with it.
There are three components to understand:
- [Certificate Profile](/documentation/platform/pki/certificates/profiles): A configuration set specifying how certificates should be issued under that profile including the [issuing CA](/documentation/platform/pki/ca/overview), a certificate template, and the enrollment method (such as ACME, EST, API, etc.) used to enroll certificates. When requesting a certificate, you issue it against a specific profile.
- [Certificate Template](/documentation/platform/pki/certificates/templates): A policy specifying the structure and permitted attributes of a certificate, such as subject naming conventions, SAN fields, key usages, and extended key usages.
- [Certificate](/documentation/platform/pki/certificates/certificate): The actual X.509 certificate issued for a profile. Once issued, a certificate kept track of in the certificate inventory.

4
docs/documentation/platform/pki/certificates/profiles.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Certificate Profiles"
sidebarTitle: "Profiles"
---

4
docs/documentation/platform/pki/certificates/templates.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Certificate Templates"
sidebarTitle: "Templates"
---

0
docs/documentation/platform/pki/enrollment-methods/overview.mdx Normal file
View File

192
docs/documentation/platform/pki/external-ca.mdx
View File

@@ -1,192 +0,0 @@
---
title: "External CA"
sidebarTitle: "External CA"
description: "Learn how to connect External Certificate Authorities with Infisical."
---
## Concept
In addition to creating a Private CA hierarchy, Infisical allows you to integrate with External Certificate Authorities (CAs) to issue digital certificates for your [subscribers](/documentation/platform/pki/subscribers). This integration enables you to leverage established certificate authority infrastructure while centralizing your certificate management within Infisical.
<div align="center">
```mermaid
graph TD
B[Infisical] -->|Manages Certificates| D[Subscribers]
A1[Public CAs<br>Let's Encrypt, ZeroSSL] -->|ACME Protocol| B
A2[Enterprise CAs<br>Vault PKI, Step CA] -->|ACME Protocol| B
A3[Cloud CAs<br>ACME-compatible services] -->|ACME Protocol| B
A4[Future: Enterprise CAs] -.->|EST/SCEP Protocols| B
A5[Future: Cloud CAs] -.->|REST APIs| B
```
</div>
When you integrate an External CA with Infisical, you benefit from:
1. **Trust by Default**: Certificates issued by public CAs are trusted by default in browsers and operating systems.
2. **Unified Management**: Manage all certificates—both internally and externally issued—from a single platform.
3. **Automation**: Leverage Infisical's automation capabilities for certificate lifecycle management.
4. **Compliance**: Meet requirements for publicly trusted certificates, especially for public-facing services.
5. **Flexibility**: Choose the most appropriate CA for different use cases while maintaining consistent management.
## General Workflow
A typical workflow for integrating an External CA with Infisical consists of the following steps:
1. **Select External CA Type**: Choose the appropriate external CA based on your requirements and supported protocols.
2. **Configure Prerequisites**: Set up any required credentials, connections, or configurations specific to your chosen CA type.
3. **Register External CA**: Add the External CA configuration to your Infisical project.
4. **Create Subscribers**: Set up subscribers that use the External CA as their issuing authority.
5. **Manage Certificate Lifecycle**: Handle certificate issuance, renewal, and revocation through Infisical's unified interface.
The specific steps and requirements vary depending on the External CA type you choose to integrate.
## Supported Integration Methods
Infisical currently supports integration with External Certificate Authorities through the following protocol:
### ACME Protocol Integration
ACME (Automatic Certificate Management Environment) is a widely adopted protocol for automated certificate issuance and management. Infisical can integrate with any CA that supports the ACME protocol, including:
**Public Certificate Authorities:**
- Let's Encrypt - Free, automated SSL/TLS certificates
- ZeroSSL - Free and premium SSL certificates
- Buypass - Norwegian CA with free ACME certificates
**Enterprise Certificate Authorities:**
- HashiCorp Vault PKI - Enterprise secret management with ACME support
- Step CA - Open-source certificate authority with ACME
**Cloud Certificate Authorities:**
- Some managed certificate services that support ACME protocol
[Learn more about ACME integration →](/documentation/platform/pki/acme-ca)
## Use Cases
External CA integration is ideal for various scenarios:
### Public-Facing Services
Use publicly trusted CAs for websites and services that need browser compatibility:
- Web applications and APIs
- Load balancers and CDNs
- Public-facing microservices
### Compliance Requirements
Meet specific compliance standards that require certificates from accredited CAs:
- PCI DSS compliance
- SOC 2 requirements
- Industry-specific regulations
### Hybrid Infrastructure
Combine internal and external CAs for different use cases:
- Internal services with Private CAs
- Public services with External CAs
- Development vs. production environments
### Legacy System Integration
Integrate with existing enterprise PKI infrastructure:
- Windows Active Directory Certificate Services
- Network device management
- IoT device provisioning
## Benefits of Centralized Management
Managing External CAs through Infisical provides several advantages over direct CA management:
### Unified Certificate Inventory
- Single dashboard for all certificates
- Centralized expiration tracking
- Cross-CA certificate analytics
### Automated Lifecycle Management
- Automatic certificate reissuance before expiration
- Proactive expiration alerts
- Standardized certificate management processes
### Enhanced Security
- Centralized access controls
- Audit trails for all certificate operations
- Policy enforcement across CAs
### Operational Efficiency
- Reduced manual certificate management
- Consistent deployment workflows
- API-driven automation
- Integration with existing tools
## Available Integration Guides
Get started with External CA integration:
<CardGroup cols={2}>
<Card title="ACME Protocol Integration" icon="certificate" href="/documentation/platform/pki/acme-ca">
Set up automated certificate issuance with any ACME-compatible CA
</Card>
<Card title="API Integrations" icon="code" color="#gray">
Custom CA integrations via REST APIs (Coming Soon)
</Card>
</CardGroup>
## FAQ
<AccordionGroup>
<Accordion title="Which External CAs does Infisical currently support?">
Currently, Infisical supports any Certificate Authority that implements the ACME protocol, including:
- **Public CAs**: Let's Encrypt, ZeroSSL, Buypass
- **Enterprise CAs**: HashiCorp Vault PKI, Step CA
- **Cloud CAs**: ACME-compatible managed services
Integration uses DNS-01 validation through Route53 or Cloudflare. Learn more about [supported DNS validation methods](/documentation/platform/pki/acme-ca#what-dns-validation-methods-are-supported).
Support for additional integration protocols (EST, SCEP, direct APIs) is planned for future releases.
</Accordion>
<Accordion title="Can I use both Private CAs and External CAs in the same project?">
Yes. You can have both Private CAs (root and intermediate) and External CAs in the same project, allowing you flexibility in how you issue certificates for different use cases. This hybrid approach enables you to:
- Use Private CAs for internal services and applications
- Use External CAs for public-facing services
- Apply consistent management practices across all certificate types
- Implement appropriate security controls based on certificate usage
</Accordion>
<Accordion title="What types of certificates can I issue through External CAs?">
The types of certificates you can issue depend on the External CA provider and type:
- **Public CAs**: Typically support Domain Validation (DV) certificates, with some offering Organization Validation (OV)
- **Enterprise CAs**: Support internal certificates, device certificates, and custom certificate types
- **Cloud CAs**: Support various certificate types depending on the service
Certificate capabilities vary by provider and integration method.
</Accordion>
<Accordion title="How does certificate renewal work with External CAs?">
Certificate reissuance is handled automatically by Infisical based on the CA type:
- **Public CAs**: Automatic reissuance using ACME protocol with the same certificate extensions before expiration
- **Other CA types**: Certificate management methods depend on the specific integration (when available)
All certificate lifecycle events are tracked and managed through Infisical's unified interface, ensuring continuous certificate validity.
</Accordion>
<Accordion title="What authentication methods are supported for External CAs?">
Authentication methods vary by CA type:
- **Public CAs**: ACME account registration with email and account keys
- **Enterprise CAs**: Client certificates, username/password, or domain authentication (when available)
- **Cloud CAs**: API keys, OAuth tokens, or service account authentication (when available)
Infisical securely stores and manages all authentication credentials.
</Accordion>
<Accordion title="Can I enforce policies on certificates from External CAs?">
Yes, Infisical provides policy enforcement capabilities:
- Certificate template constraints
- Monitoring and alerting policies
- Access controls for certificate operations
These policies ensure consistent governance across both internal and external certificate sources.
</Accordion>
</AccordionGroup>

4
docs/documentation/platform/pki/overview.mdx
View File

@@ -10,8 +10,8 @@ It helps teams automate certificate management including enrollment and renewal,
Core capabilities include:
- Private CA: Create and manage your own private CA hierarchy including root and intermediate CAs.
- External CA integration: Integrate with external public and private CAs including Azure ADCS and ACME-compatible CAs like Let's Encrypt and DigiCert.
- [Private CA](/documentation/platform/pki/ca/private-ca): Create and manage your own private CA hierarchy including root and intermediate CAs.
- [External CA integration](/documentation/platform/pki/ca/external-ca): Integrate with external public and private CAs including [Azure ADCS](/documentation/platform/pki/ca/azure-adcs) and [ACME-compatible CAs](/documentation/platform/pki/ca/acme-ca) like Let's Encrypt and DigiCert.
- Certificate Enrollment: Support enrollment methods including API, ACME, EST, and more to automate certificate issuance for services, devices, and workloads.
- Certificate Inventory: Track and monitor issued X.509 certificates, maintaining a comprehensive inventory of all active and expired certificates.
- Certificate Lifecycle Automation: Automate issuance, renewal, and revocation with policy-based workflows, ensuring certificates remain valid, compliant, and up to date across your infrastructure.