The following resources define how certificates are issued, shaped, and governed in Infisical:
Certificate Authority (CA): The trusted entity that issues X.509 certificates. This can be an Internal CA or an External CA in Infisical.
The former represents a fully managed CA hierarchy within Infisical, while the latter represents an external CA (e.g. DigiCert, Let’s Encrypt, Microsoft AD CS, etc.) that can be integrated with Infisical.
Certificate Policy: A policy structure specifying permitted attributes for requested certificates. This includes constraints around subject naming conventions, SAN fields, key usages, and extended key usages.
Certificate Profile: A configuration set specifying how leaf certificates should be issued for a group of end-entities including the issuing CA, a certificate policy, and the enrollment method (e.g. ACME, EST, API, etc.) used to enroll certificates.
Certificate: The actual X.509 certificate issued for a profile. Once created, it is tracked in Infisical’s certificate inventory for management, renewal, and lifecycle operations.
Access control defines who (or what) can manage certificate resources and who can issue certificates within a project. Without clear boundaries, certificate authorities and issuance workflows can be misconfigured or misused.To manage access to certificates, you assign role-based permissions at the project level. These permissions determine which certificate authorities, certificate policies, certificate profiles, and other related resources a user or machine identity can act on. For example,
you may want to:
Have specific teams(s) manage your internal CA hierarchy or external CA integration configuration and have separate team(s) configure certificate profiles for requested certificates.
Limit which teams can manage certificate policies.
Have specific end-entities (e.g. servers, devices, users) request certificates from specific certificate profiles.
This model follows the principle of least privilege so that each user or machine identity can manage or issue only the certificate resources it is responsible for and nothing more.
