diff --git a/docs/docs.json b/docs/docs.json index a66b3ec28f..c3fa858611 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -742,6 +742,7 @@ "pages": [ "documentation/platform/pki/enrollment-methods/overview", "documentation/platform/pki/enrollment-methods/api", + "documentation/platform/pki/enrollment-methods/acme", "documentation/platform/pki/enrollment-methods/est" ] }, diff --git a/docs/documentation/getting-started/introduction.mdx b/docs/documentation/getting-started/introduction.mdx index e10d594dad..77342e36cb 100644 --- a/docs/documentation/getting-started/introduction.mdx +++ b/docs/documentation/getting-started/introduction.mdx @@ -35,7 +35,7 @@ Infisical consists of several tightly integrated products, each designed to solv - [Secrets Management](/documentation/platform/secrets-mgmt/overview): Securely store, access, and distribute secrets across environments with fine-grained controls, automatic rotation, and audit logging. - [Secrets Scanning](/documentation/platform/secret-scanning/overview): Detect hardcoded secrets in code, CI pipelines, and infrastructure—integrated with GitHub, GitLab, Bitbucket, and more. -- [Infisical PKI](/documentation/platform/pki/overview): Issue and manage X.509 certificates using protocols like EST, with support for internal and external CAs. +- [Certificate Management](/documentation/platform/pki/overview): Issue and manage X.509 certificates using protocols like EST, with support for internal and external CAs. - [Infisical SSH](/documentation/platform/ssh/overview): Provide short-lived SSH access to servers using certificate-based authentication, replacing static keys with policy-driven, time-bound control. - [Infisical KMS](/documentation/platform/kms/overview): Encrypt and decrypt data using centrally managed keys with enforced access policies and full audit visibility. - [Infisical PAM](/documentation/platform/pam/overview): Manage access to resources like databases, servers, and accounts with policy-based controls and approvals. diff --git a/docs/documentation/platform/pki/certificates/certificates.mdx b/docs/documentation/platform/pki/certificates/certificates.mdx index 374f60d64d..abe1987500 100644 --- a/docs/documentation/platform/pki/certificates/certificates.mdx +++ b/docs/documentation/platform/pki/certificates/certificates.mdx @@ -22,10 +22,7 @@ where you can manage various aspects of its lifecycle including deployment to cl To issue a certificate, you must first create a [certificate profile](/documentation/platform/pki/certificates/profiles) and a [certificate template](/documentation/platform/pki/certificates/templates) to go along with it. The [enrollment method](/documentation/platform/pki/enrollment-methods/overview) configured on the certificate profile determines how a certificate is issued for it. -Refer to the documentation for each enrollment method below to learn more about how to issue certificates using it. - -- [API](/documentation/platform/pki/enrollment-methods/api): Issue a certificate over UI or by making an API request to Infisical. -- [EST](/documentation/platform/pki/enrollment-methods/est): Issue a certificate over the EST protocol. +Refer to the documentation for each enrollment method to learn more about how to issue certificates using it. ## Guide to Renewing Certificates @@ -61,9 +58,9 @@ A certificate can be considered for auto-renewal at time of issuance if the **En The following examples demonstrate different approaches to certificate renewal: -- Using the ACME enrollment method, you may connect an ACME client like [certbot](https://certbot.eff.org/) to fetch back and renew certificates for Apache, Nginx, or other server. The ACME client will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to the server's configuration. -- Using the ACME enrollment method, you may use [cert-manager](https://cert-manager.io/) with Infisical to issue and renew certificates for Kubernetes workloads; cert-manager will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to Kubernetes secrets. -- Using the API enrollment method, you may push and auto-renew certificates to AWS and Azure using [certificate syncs](/documentation/platform/pki/certificate-syncs/overview). Certificates issued over the API enrollment method, where key pairs are generated server-side, are also eligible for server-side auto-renewal; once renewed, certificates are automatically pushed back to their sync destination. +- Using the [ACME enrollment method](/documentation/platform/pki/enrollment-methods/acme), you may connect an ACME client like [certbot](https://certbot.eff.org/) to fetch back and renew certificates for [Apache](/documentation/platform/pki/integration-guides/apache-certbot), [Nginx](/documentation/platform/pki/integration-guides/nginx-certbot), or other server. The ACME client will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to the server's configuration. +- Using the [ACME enrollment method](/documentation/platform/pki/enrollment-methods/acme), you may use [cert-manager](https://cert-manager.io/) with Infisical to issue and renew certificates for Kubernetes workloads; cert-manager will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to Kubernetes secrets. +- Using the [API enrollment method](/documentation/platform/pki/enrollment-methods/api), you may push and auto-renew certificates to AWS and Azure using [certificate syncs](/documentation/platform/pki/certificate-syncs/overview). Certificates issued over the API enrollment method, where key pairs are generated server-side, are also eligible for server-side auto-renewal; once renewed, certificates are automatically pushed back to their sync destination. ## Guide to Downloading Certificates diff --git a/docs/documentation/platform/pki/certificates/templates.mdx b/docs/documentation/platform/pki/certificates/templates.mdx index 38b5570ddc..b8d976961d 100644 --- a/docs/documentation/platform/pki/certificates/templates.mdx +++ b/docs/documentation/platform/pki/certificates/templates.mdx @@ -7,7 +7,7 @@ sidebarTitle: "Templates" A certificate template is a policy structure specifying permitted attributes for requested certificates. This includes constraints around subject naming conventions, SAN fields, key usages, and extended key usages. -Each certificate requested against a profile is validated against the template bound to that profile. If the request fails any criteria included in the template, the certificate is not issued. This helps administrators enforce uniformity and security standards across all issued certificates. +Each certificate requested against a [certificate profile](/documentation/platform/pki/certificates/profiles) is validated against the template bound to that profile. If the request fails any criteria included in the template, the certificate is not issued. This helps administrators enforce uniformity and security standards across all issued certificates. ## Guide to Creating a Certificate Template diff --git a/docs/documentation/platform/pki/enrollment-methods/acme.mdx b/docs/documentation/platform/pki/enrollment-methods/acme.mdx index 559b0cab81..12c4779b5e 100644 --- a/docs/documentation/platform/pki/enrollment-methods/acme.mdx +++ b/docs/documentation/platform/pki/enrollment-methods/acme.mdx @@ -3,6 +3,62 @@ title: "Certificate Enrollment via ACME" sidebarTitle: "ACME" --- - - ACME-based certificate enrollment is currently under development and will be included in a future release. - +## Concept + +The ACME enrollment method allows you to issue and manage certificates against a specific [certificate profile](/documentation/platform/pki/certificates/profiles) using the [ACME protocol](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment). +This method is suitable for web servers, load balancers, and other general-purpose servers that can run an [ACME client](https://letsencrypt.org/docs/client-options/) for automated certificate management. + +Infisical's ACME enrollment method is based on [RFC 8555](https://datatracker.ietf.org/doc/html/rfc8555/). + +## Prerequisites + +Install an [ACME client](https://letsencrypt.org/docs/client-options/) onto your server. This client will handle [ACME challenges](https://letsencrypt.org/docs/challenge-types/) and request/renew certificates from Infisical. + +## Guide to Certificate Enrollment via ACME + +In the following steps, we explore how to issue a X.509 certificate using the ACME enrollment method. + + + + Create a [certificate + profile](/documentation/platform/pki/certificates/profiles) with **ACME** + selected as the enrollment method. + + ![pki acme config](/images/platform/pki/enrollment-methods/acme/acme-config.png) + + + + Once you've created the certificate profile, you can obtain its ACME configuration details by clicking the **Reveal ACME EAB** option on the profile. + + ![pki acme eab config](/images/platform/pki/enrollment-methods/acme/acme-eab.png) + + From the ACME configuration, gather the following values: + + - ACME Directory URL: The URL that the ACME client will use to communicate with Infisical's ACME server. + - EAB Key Identifier (KID): A unique identifier that tells Infisical which ACME account is making the request. + - EAB Secret: A secret key that authenticates your ACME client with Infisical. + + + + Provide the **ACME Directory URL**, **EAB KID**, and **EAB Secret** from Step 2 to your ACME client to authenticate with Infisical and request a certificate. + + For example, if using [Certbot](https://certbot.eff.org/) as an ACME client, you can configure and start requesting certificates with the following command: + + ```bash + sudo certbot certonly \ + --standalone \ + --server "https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory" \ + --eab-kid "your-eab-kid" \ + --eab-hmac-key "your-eab-secret" \ + -d example.infisical.com \ + --email admin@example.com \ + --agree-tos \ + --non-interactive + ``` + + Certbot stores the private key and resulting leaf certificate and full certificate chain in `/etc/letsencrypt/live/{domain-name}/`. + + For client-specific setup and usage instructions, refer to the documentation for your ACME client. + + + diff --git a/docs/documentation/platform/pki/enrollment-methods/api.mdx b/docs/documentation/platform/pki/enrollment-methods/api.mdx index 4adcdc01b0..304bafefc1 100644 --- a/docs/documentation/platform/pki/enrollment-methods/api.mdx +++ b/docs/documentation/platform/pki/enrollment-methods/api.mdx @@ -5,7 +5,7 @@ sidebarTitle: "API" ## Concept -The API enrollment method allows you to issue certificates against a specific certificate profile over Web UI or by making an API request to Infisical. +The API enrollment method allows you to issue certificates against a specific [certificate profile](/documentation/platform/pki/certificates/profiles) over Web UI or by making an API request to Infisical. ## Guide to Certificate Enrollment via API @@ -15,7 +15,7 @@ In the following steps, we explore how to issue a X.509 certificate using the AP - + Create a [certificate profile](/documentation/platform/pki/certificates/profiles) with **API** selected as the enrollment method. @@ -54,7 +54,7 @@ Here, select the certificate profile from step 1 that will be used to issue the - + To create a certificate [profile](/documentation/platform/pki/certificates/profiles), make an API request to the [Create Certificate Profile](/api-reference/endpoints/certificate-profiles/create) API endpoint. diff --git a/docs/documentation/platform/pki/enrollment-methods/est.mdx b/docs/documentation/platform/pki/enrollment-methods/est.mdx index a4e463a2f4..35e7705955 100644 --- a/docs/documentation/platform/pki/enrollment-methods/est.mdx +++ b/docs/documentation/platform/pki/enrollment-methods/est.mdx @@ -5,7 +5,7 @@ sidebarTitle: "EST" ## Concept -The API enrollment method allows you to issue and manage certificates against a specific certificate profile using the [EST protocol](https://en.wikipedia.org/wiki/Enrollment_over_Secure_Transport). +The EST enrollment method allows you to issue and manage certificates against a specific [certificate profile](/documentation/platform/pki/certificates/profiles) using the [EST protocol](https://en.wikipedia.org/wiki/Enrollment_over_Secure_Transport). This method is suitable for environments requiring strong authentication and encrypted communication, such as in IoT, enterprise networks, and secure web services. Infisical's EST service is based on [RFC 7030](https://datatracker.ietf.org/doc/html/rfc7030) and implements the following endpoints: @@ -32,7 +32,7 @@ and structured under `https://app.infisical.com:8443/.well-known/est/{profile_id In the following steps, we explore how to issue a X.509 certificate using the EST enrollment method. - + Create a [certificate profile](/documentation/platform/pki/certificates/profiles) with **EST** selected as the enrollment method and fill in EST-specific configuration. diff --git a/docs/documentation/platform/pki/enrollment-methods/overview.mdx b/docs/documentation/platform/pki/enrollment-methods/overview.mdx index f1af9375d1..df203c35cc 100644 --- a/docs/documentation/platform/pki/enrollment-methods/overview.mdx +++ b/docs/documentation/platform/pki/enrollment-methods/overview.mdx @@ -5,7 +5,10 @@ sidebarTitle: "Overview" Enrollment methods determine how certificates are issued and managed for a [certificate profile](/documentation/platform/pki/certificates/profiles). -Refer to the documentation for each enrollment method to learn more about how to enroll certificates using it. +Refer to the documentation for each enrollment method below to learn more about how to enroll certificates using it. - [API](/documentation/platform/pki/enrollment-methods/api): Enroll certificates via API. -- [EST](/documentation/platform/pki/enrollment-methods/est): Enroll certificates via EST protocol. +- [ACME](/documentation/platform/pki/enrollment-methods/acme): Enroll certificates using the ACME protocol. +- [EST](/documentation/platform/pki/enrollment-methods/est): Enroll certificates using the EST protocol. + +Note that beyond using an enrollment method, you can also deliver a certificate to a target destination using supported [certificate syncs](https://infisical.com/docs/documentation/platform/pki/certificate-syncs/overview). diff --git a/docs/documentation/platform/pki/overview.mdx b/docs/documentation/platform/pki/overview.mdx index 9aba032b1f..9d208039b5 100644 --- a/docs/documentation/platform/pki/overview.mdx +++ b/docs/documentation/platform/pki/overview.mdx @@ -12,7 +12,7 @@ Core capabilities include: - [Private CA](/documentation/platform/pki/ca/private-ca): Create and manage your own private CA hierarchy including root and intermediate CAs. - [External CA integration](/documentation/platform/pki/ca/external-ca): Integrate with external public and private CAs including [Azure ADCS](/documentation/platform/pki/ca/azure-adcs) and [ACME-compatible CAs](/documentation/platform/pki/ca/acme-ca) like Let's Encrypt and DigiCert. -- [Certificate Enrollment](/documentation/platform/pki/enrollment-methods/overview): Support enrollment methods including [API](/documentation/platform/pki/enrollment-methods/api), ACME, [EST](/documentation/platform/pki/enrollment-methods/est), and more to automate certificate issuance for services, devices, and workloads. +- [Certificate Enrollment](/documentation/platform/pki/enrollment-methods/overview): Support enrollment methods including [API](/documentation/platform/pki/enrollment-methods/api), [ACME](/documentation/platform/pki/enrollment-methods/acme), [EST](/documentation/platform/pki/enrollment-methods/est), and more to automate certificate issuance for services, devices, and workloads. - Certificate Inventory: Track and monitor issued X.509 certificates, maintaining a comprehensive inventory of all active and expired certificates. - Certificate Lifecycle Automation: Automate issuance, [renewal](/documentation/platform/pki/certificates/certificates#guide-to-renewing-certificates), and [revocation](/documentation/platform/pki/certificates/certificates#guide-to-revoking-certificates) with policy-based workflows, ensuring certificates remain valid, compliant, and up to date across your infrastructure. - [Certificate Syncs](/documentation/platform/pki/certificate-syncs/overview): Push certificates to cloud certificate managers like [AWS Certificate Manager](/documentation/platform/pki/certificate-syncs/aws-certificate-manager) and [Azure Key Vault](/documentation/platform/pki/certificate-syncs/azure-key-vault). diff --git a/docs/images/platform/pki/enrollment-methods/acme/acme-config.png b/docs/images/platform/pki/enrollment-methods/acme/acme-config.png new file mode 100644 index 0000000000..11ea8b075b Binary files /dev/null and b/docs/images/platform/pki/enrollment-methods/acme/acme-config.png differ diff --git a/docs/images/platform/pki/enrollment-methods/acme/acme-eab.png b/docs/images/platform/pki/enrollment-methods/acme/acme-eab.png new file mode 100644 index 0000000000..d2bffd0012 Binary files /dev/null and b/docs/images/platform/pki/enrollment-methods/acme/acme-eab.png differ