Concept

Assuming that you’ve created a Private CA hierarchy with a root CA and an intermediate CA, you can now issue/revoke X.509 certificates using the intermediate CA.

Workflow

The typical workflow for managing certificates consists of the following steps:

  1. Issuing a certificate under an intermediate CA with details like name and validity period.
  2. Managing certificate lifecycle events such as certificate renewal and revocation. As part of the certificate revocation flow, you can also query for a Certificate Revocation List CRL, a time-stamped, signed data structure issued by a CA containing a list of revoked certificates to check if a certificate has been revoked.

Note that this workflow can be executed via the Infisical UI or manually such as via API.

Guide to Issuing Certificates

In the following steps, we explore how to issue a X.509 certificate under a CA.

1

Creating a certificate

To create a certificate, head to your Project > Internal PKI > Certificates and press Create Certificate.

pki issue certificate

Here, set the CA to the CA you want to issue the certificate under and fill out details for the certificate.

pki issue certificate modal

Here’s some guidance on each field:

  • Issuing CA: The CA under which to issue the certificate.
  • Friendly Name: A friendly name for the certificate; this is only for display and defaults to the common name of the certificate if left empty.
  • Common Name (CN): The (common) name of the certificate.
  • TTL: The lifetime of the certificate in seconds.
  • Valid Until: The date until which the certificate is valid in the date time string format specified here. For example, the following formats would be valid: YYYY, YYYY-MM, YYYY-MM-DD, YYYY-MM-DDTHH:mm:ss.sssZ.
2

Copying the certificate details

Once you have created the certificate from step 1, you’ll be presented with the certificate details including the Certificate Body, Certificate Chain, and Private Key.

pki certificate body

Make sure to download and store the Private Key in a secure location as it will only be displayed once at the time of certificate issuance. The Certificate Body and Certificate Chain will remain accessible and can be copied at any time.

Guide to Revoking Certificates

In the following steps, we explore how to revoke a X.509 certificate under a CA and obtain a Certificate Revocation List (CRL) for a CA.

1

Revoking a Certificate

Assuming that you’ve issued a certificate under a CA, you can revoke it by selecting the Revoke Certificate option for it and specifying the reason for revocation.

pki revoke certificate

pki revoke certificate modal

2

Obtaining a CRL

In order to check the revocation status of a certificate, you can check it against the CRL of a CA by selecting the View CRL option under the issuing CA and downloading the CRL file.

pki view crl

pki download crl

To verify a certificate against the downloaded CRL with OpenSSL, you can use the following command:

openssl verify -crl_check -CAfile chain.pem -CRLfile crl.pem cert.pem

FAQ

Was this page helpful?

Private CAOverview