* feat(pki): add AWS ACM Public CA support
Adds a new external CA type that issues, renews, and revokes public
certificates via AWS Certificate Manager with Route 53 DNS validation.
- New aws-acm-public-ca service module (client, fns, schemas, validators)
- Route 53 DNS provider for ACM CNAME validation records
- externalMetadata jsonb column on certificates (stores ARN/region)
- Issuance queue tuned for ACM: 30 attempts with fixed backoff,
retryable validation-pending errors, final-attempt request FAIL hook
- Pre-flight validation rejects CSR, non-DNS SANs, subject fields,
custom validity, and CA certs (ACM constraints)
- Profile service restricts ACM CAs to API enrollment
- v1/v2 list endpoints, ExternalCaModal UI, frontend types/hooks
* chore(backend): add @aws-sdk/client-acm dependency
* chore(pki): remove ACM development mock client
* fix(pki): surface AWS errors and fix ACM renewal polling
- Wrap ACM/Route 53 preflight calls in createCertificateAuthority and
updateCertificateAuthority so IAM errors surface as BadRequestError
with the AWS message, instead of a generic 500.
- Skip the fixed-validity TTL check on renewal — ACM sets validity itself
and the TTL derived from the original cert can floor below 198 days.
- Require notAfter to advance before exporting a renewed cert. ACM returns
the original cert from ExportCertificate until the renewal is fully
re-issued, which was causing duplicate-serial insert failures.
* fix(pki): retry ACM export when renewal relation not yet ready
* chore(pki): clean up ACM extras and add docs
- Drop dead `calculateAcmRenewBeforeDays` clamp; profile schema already
caps `renewBeforeDays` at 30, so the 198-day clamp never triggered.
- Drop the redundant `basicConstraints` plumbing for the ACM validator;
`certificate-v3-service.ts` already blocks CA issuance for all external
CAs upstream.
- Run pre-flight ACM input validation before the approval branch so bad
inputs (TTL, SANs, subject fields) are rejected at submit time instead
of after an approver has already approved.
- Use serial-number comparison to detect a renewed cert body in ACM,
instead of relying on `NotAfter` advancement (which can lag).
- Persist `keyUsages` / `extendedKeyUsages` parsed from the issued cert
rather than echoing the request, so DB matches what AWS actually issued.
- Add docs page covering setup, IAM, auto-renewal, troubleshooting, and
an FAQ; wire it into docs.json under the External CAs section.
* fix(pki): make external CA revocation atomic and surface AWS errors
- Call the upstream CA revoke before updating the local cert row, so a
failed AWS call (e.g., a reason ACM rejects) doesn't leave the cert
marked revoked locally while still active at the issuer.
- Wrap the ACM RevokeCertificate call so AWS errors come back as a
BadRequestError with the underlying message, instead of falling
through to the generic "Something went wrong" 500.
* fix(pki): preserve original region on ACM renewal and hoist AWS calls out of CA update transaction
- On renewal, store the original certificate's region in externalMetadata
instead of the CA's current region, so subsequent revoke/renew keep
targeting the correct region-locked ARN even if the CA was edited.
- In updateCertificateAuthority, run ACM ListCertificates and Route 53
GetHostedZone before opening the DB transaction, mirroring
createCertificateAuthority so slow AWS calls don't pin a pool connection.
* fix(pki): derive ACM signature algorithm from issued cert
ACM picks the signature algorithm server-side and has no SigningAlgorithm
parameter on RequestCertificate, so the caller-supplied signatureAlgorithm
was being persisted without ever matching what AWS actually signed with.
Parse it from the issued cert and normalize to CertSignatureAlgorithm
before writing to the DB. Drop the now-dead parameter from the ACM
orderCertificateFromProfile signature.
* chore(pki): remove unused AwsAcmKeyAlgorithm enum
* refactor(pki): generate ACM export passphrase with nanoid customAlphabet
Uses nanoid's customAlphabet instead of manual modular sampling, matching
the pattern used elsewhere in the codebase (e.g. dynamic-secret providers).
Eliminates the modular bias where the first 8 alphabet characters appeared
slightly more frequently than the others.
* fix(ui): mark AWS Connection field as required in ACM external CA form
Matches the sibling fields (Route 53 Connection, Hosted Zone ID, Region)
which already had the required indicator.
* docs(pki): clarify ACM auto-renewal and refresh screenshots
Explain that AWS itself attempts managed renewal 45 days before expiry, and what Infisical's own auto-renewal does in that case (skip RenewCertificate if AWS already renewed, otherwise trigger it). Swap "export" wording for plainer "save"/"pull in". Add new setup screenshots.
* docs(pki): add ACM public CA API reference pages
* refactor(pki): share Route 53 helper and tidy ACM internals
- Extract Route 53 into a shared dns-providers/route53.ts reused by both
ACME and ACM Public CA. Adds an optional comment field so ACME keeps
its original change-history strings. The ACME delete path also now
applies sha256=CustomAWSHasher and useFipsEndpoint consistently with
upsert.
- Move the two ACM validation error classes into a dedicated -errors.ts
and rename to AcmPendingError / AcmTerminalError, since they also
cover renewal and export paths beyond the original DNS-validation
signal.
- Replace single-character regex strips (: and -) with split/join, and
wrap the AWS error-message match in RE2 to match the rest of the repo.
* feat(ui): pre-fill and lock TTL for ACM Public CA profiles
AWS ACM Public CA issues certificates with a fixed 198-day validity and
the backend rejects any other value. When the selected CA on a certificate
profile is AWS ACM Public CA, the TTL field now pre-fills to 198 and is
disabled, with a tooltip explaining the fixed validity.
* docs(pki): expand ACM Public CA guide and document permissions on AWS connection
- Rewrite the ACM Public CA overview to scope explicitly to public
certificates and drop the comparison with AWS Private CA.
- Expand the enrollment-method FAQ entry to explain that only API
enrollment applies, because EST, SCEP, and ACME all submit a CSR and
ACM generates the private key itself.
- Add an AWS ACM Public CA accordion (ACM + Route 53 permissions) to
both the IAM Role and IAM User sections of the AWS app connection
docs so users can set up permissions alongside existing services.
* fix(pki): skip AWS ACM revoke for superseded certificates
When an ACM certificate is renewed, the ARN is reused for the new
certificate body and the superseded cert is no longer present at AWS.
Calling RevokeCertificate on that ARN would revoke the currently-active
renewed cert. When revoking a cert that has renewedByCertificateId set,
skip the AWS call and let the service layer mark the DB row as REVOKED
on its own — matching the pattern already used in PKI syncs for
superseded certificates.
