To create a root CA, head to your Project > Internal PKI > Certificate Authorities and press Create CA.

Here, set the CA Type to Root and fill out details for the root CA.

Here’s some guidance on each field:

• Valid Until: The date until which the CA is valid in the date time string format specified here. For example, the following formats would be valid: YYYY, YYYY-MM, YYYY-MM-DD, YYYY-MM-DDTHH:mm:ss.sssZ.
• Path Length: The maximum number of intermediate CAs that can be chained to this CA. A path of -1 implies no limit; a path of 0 implies no intermediate CAs can be chained.
• Key Algorithm: The type of public key algorithm and size, in bits, of the key pair that the CA creates when it issues a certificate. Supported key algorithms are RSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384 with the default being RSA 2048.
• Friendly Name: A friendly name for the CA; this is only for display and defaults to the subject of the CA if left empty.
• Organization (O): The organization name.
• Country (C): The country code.
• State or Province Name: The state or province.
• Locality Name: The city or locality.
• Common Name: The name of the CA.

1.1. To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.

1.2. Next, press the Install Certificate option on the intermediate CA from step 1.1.

Here, set the Parent CA to the root CA created in step 1 and configure the intended Valid Until and Path Length fields on the intermediate CA; feel free to use the prefilled values.

Here’s some guidance on each field:

• Parent CA: The parent CA to which this intermediate CA will be chained. In this case, it should be the root CA created in step 1.
• Valid Until: The date until which the CA is valid in the date time string format specified here. The date must be within the validity period of the parent CA.
• Path Length: The maximum number of intermediate CAs that can be chained to this CA. The path length must be less than the path length of the parent CA.

Finally, press Install to chain the intermediate CA to the root CA; this creates a Certificate Signing Request (CSR) for the intermediate CA, creates an intermediate certificate using the root CA private key and CSR, and imports the signed certificate back to the intermediate CA.

Great! You’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates page to learn more about how to issue X.509 certificates using the intermediate CA.

To create a root CA, make an API request to the Create CA API endpoint, specifying the type as root.

​

Sample request

curl --location --request POST 'https://app.infisical.com/api/v1/pki/ca' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "projectSlug": "<your-project-slug>",
      "type": "root",
      "commonName": "My Root CA"
  }'

​

Sample response

{
  ca: {
    id: "<root-ca-id>",
    type: "root",
    commonName: "My Root CA",
    ...
  }
}

By default, Infisical creates a root CA with the RSA_2048 key algorithm, validity period of 10 years, with no restrictions on path length; you may override these defaults by specifying your own options when making the API request.

2.1. To create an intermediate CA, make an API request to the Create CA API endpoint, specifying the type as intermediate.

​

Sample request

curl --location --request POST 'https://app.infisical.com/api/v1/pki/ca' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "projectSlug": "<your-project-slug>",
      "type": "intermediate",
      "commonName": "My Intermediate CA"
  }'

​

Sample response

{
  ca: {
    id: "<intermediate-ca-id>",
    type: "intermediate",
    commonName: "My Intermediate CA",
    ...
  }
}

2.2. Next, get a certificate signing request from the intermediate CA by making an API request to the Get CSR API endpoint.

​

Sample request

curl --location --request GET 'https://app.infisical.com/api/v1/pki/ca/<intermediate-ca-id>/csr' \
  --header 'Authorization: Bearer <access-token>' \
  --data-raw ''

​

Sample response

{
  csr: "..."
}

2.3. Next, create an intermediate certificate by making an API request to the Sign Intermediate API endpoint containing the CSR from step 2.2, referencing the root CA created in step 1.

​

Sample request

curl --location --request POST 'https://app.infisical.com/api/v1/pki/ca/<root-ca-id>/sign-intermediate' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "csr": "<csr>",
      "notAfter": "2029-06-12"
  }'

​

Sample response

{
  certificate: "...",
  certificateChain: "...",
  issuingCaCertificate: "...",
  serialNumber: "...",
}

2.4. Finally, import the intermediate certificate and certificate chain from step 2.3 back to the intermediate CA by making an API request to the Import Certificate API endpoint.

​

Sample request

curl --location --request POST 'https://app.infisical.com/api/v1/pki/ca/<intermediate-ca-id>/import-certificate' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "certificate": "<certificate>",
      "certificateChain": "<certificate-chain>"
  }'

​

Sample response

{
  message: "Successfully imported certificate to CA",
  caId: "..."
}

Great! You’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates page to learn more about how to issue X.509 certificates using the intermediate CA.