Internal PKI
Certificates
Learn how to issue X.509 certificates with Infisical.
Concept
Assuming that you’ve created a Private CA hierarchy with a root CA and an intermediate CA, you can now issue/revoke X.509 certificates using the intermediate CA.Workflow
The typical workflow for managing certificates consists of the following steps:- Issuing a certificate under an intermediate CA with details like name and validity period.
- Managing certificate lifecycle events such as certificate renewal and revocation. As part of the certificate revocation flow, you can also query for a Certificate Revocation List CRL, a time-stamped, signed data structure issued by a CA containing a list of revoked certificates to check if a certificate has been revoked.
Note that this workflow can be executed via the Infisical UI or manually such
as via API.
Guide to Issuing Certificates
In the following steps, we explore how to issue a X.509 certificate under a CA.1
Creating a certificate
To create a certificate, head to your Project > Internal PKI > Certificates and press Create Certificate.
Here, set the CA to the CA you want to issue the certificate under and fill out details for the certificate.
Here’s some guidance on each field:
Here, set the CA to the CA you want to issue the certificate under and fill out details for the certificate.Here’s some guidance on each field:- Issuing CA: The CA under which to issue the certificate.
- Friendly Name: A friendly name for the certificate; this is only for display and defaults to the common name of the certificate if left empty.
- Common Name (CN): The (common) name of the certificate.
- TTL: The lifetime of the certificate in seconds.
- Valid Until: The date until which the certificate is valid in the date time string format specified here. For example, the following formats would be valid:
YYYY,YYYY-MM,YYYY-MM-DD,YYYY-MM-DDTHH:mm:ss.sssZ.
2
Copying the certificate details
Once you have created the certificate from step 1, you’ll be presented with the certificate details including the Certificate Body, Certificate Chain, and Private Key.
Make sure to download and store the Private Key in a secure location as it will only be displayed once at the time of certificate issuance.
The Certificate Body and Certificate Chain will remain accessible and can be copied at any time.
Guide to Revoking Certificates
In the following steps, we explore how to revoke a X.509 certificate under a CA and obtain a Certificate Revocation List (CRL) for a CA.1
Revoking a Certificate
Assuming that you’ve issued a certificate under a CA, you can revoke it by
selecting the Revoke Certificate option for it and specifying the reason
for revocation.
2
Obtaining a CRL
In order to check the revocation status of a certificate, you can check it
against the CRL of a CA by selecting the View CRL option under the
issuing CA and downloading the CRL file.
To verify a certificate against the
downloaded CRL with OpenSSL, you can use the following command:
To verify a certificate against the
downloaded CRL with OpenSSL, you can use the following command:FAQ
What is the workflow for renewing a certificate?
What is the workflow for renewing a certificate?
To renew a certificate, you have to issue a new certificate from the same CA
with the same common name as the old certificate. The original certificate
will continue to be valid through its original TTL unless explicitly
revoked.