Learn how to create a Private CA hierarchy with Infisical.
The first step to creating your Internal PKI is to create a Private Certificate Authority (CA) hierarchy that is a structure of entities used to issue digital certificates for services, applications, and devices.
A typical workflow for setting up a Private CA hierarchy consists of the following steps:
Note that this workflow can be executed via the Infisical UI or manually such as via API. If manually executing the workflow, you may have to create a Certificate Signing Request (CSR) for the intermediate CA, create an intermediate certificate using the root CA private key and CSR, and import the intermediate certificate back to the intermediate CA as part of Step 2.
In the following steps, we explore how to create a simple Private CA hierarchy consisting of a root CA and an intermediate CA.
Creating a root CA
To create a root CA, head to your Project > Internal PKI > Certificate Authorities and press Create CA.
Here, set the CA Type to Root and fill out details for the root CA.
Here’s some guidance on each field:
YYYY
, YYYY-MM
, YYYY-MM-DD
, YYYY-MM-DDTHH:mm:ss.sssZ
.-1
implies no limit; a path of 0
implies no intermediate CAs can be chained.RSA 2048
, RSA 4096
, ECDSA P-256
, and ECDSA P-384
with the default being RSA 2048
.The Organization, Country, State or Province Name, Locality Name, and Common Name make up the Distinguished Name (DN) or subject of the CA. At least one of these fields must be filled out.
Creating an intermediate CA
1.1. To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.
1.2. Next, press the Install Certificate option on the intermediate CA from step 1.1.
Here, set the Parent CA to the root CA created in step 1 and configure the intended Valid Until and Path Length fields on the intermediate CA; feel free to use the prefilled values.
Here’s some guidance on each field:
Finally, press Install to chain the intermediate CA to the root CA; this creates a Certificate Signing Request (CSR) for the intermediate CA, creates an intermediate certificate using the root CA private key and CSR, and imports the signed certificate back to the intermediate CA.
Great! You’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates page to learn more about how to issue X.509 certificates using the intermediate CA.
Creating a root CA
To create a root CA, head to your Project > Internal PKI > Certificate Authorities and press Create CA.
Here, set the CA Type to Root and fill out details for the root CA.
Here’s some guidance on each field:
YYYY
, YYYY-MM
, YYYY-MM-DD
, YYYY-MM-DDTHH:mm:ss.sssZ
.-1
implies no limit; a path of 0
implies no intermediate CAs can be chained.RSA 2048
, RSA 4096
, ECDSA P-256
, and ECDSA P-384
with the default being RSA 2048
.The Organization, Country, State or Province Name, Locality Name, and Common Name make up the Distinguished Name (DN) or subject of the CA. At least one of these fields must be filled out.
Creating an intermediate CA
1.1. To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.
1.2. Next, press the Install Certificate option on the intermediate CA from step 1.1.
Here, set the Parent CA to the root CA created in step 1 and configure the intended Valid Until and Path Length fields on the intermediate CA; feel free to use the prefilled values.
Here’s some guidance on each field:
Finally, press Install to chain the intermediate CA to the root CA; this creates a Certificate Signing Request (CSR) for the intermediate CA, creates an intermediate certificate using the root CA private key and CSR, and imports the signed certificate back to the intermediate CA.
Great! You’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates page to learn more about how to issue X.509 certificates using the intermediate CA.
Creating a root CA
To create a root CA, make an API request to the Create CA API endpoint, specifying the type
as root
.
By default, Infisical creates a root CA with the RSA_2048
key algorithm, validity period of 10 years, with no restrictions on path length;
you may override these defaults by specifying your own options when making the API request.
Creating an intermediate CA
2.1. To create an intermediate CA, make an API request to the Create CA API endpoint, specifying the type
as intermediate
.
2.2. Next, get a certificate signing request from the intermediate CA by making an API request to the Get CSR API endpoint.
2.3. Next, create an intermediate certificate by making an API request to the Sign Intermediate API endpoint containing the CSR from step 2.2, referencing the root CA created in step 1.
The notAfter
value must be within the validity period of the root CA that is if the root CA is valid until 2029-06-12
, the intermediate CA must be valid until a date before 2029-06-12
.
2.4. Finally, import the intermediate certificate and certificate chain from step 2.3 back to the intermediate CA by making an API request to the Import Certificate API endpoint.
Great! You’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates page to learn more about how to issue X.509 certificates using the intermediate CA.
What key algorithms are supported as part of private key generation and certificate signing?
Infisical supports RSA 2048
, RSA 4096
, ECDSA P-256
, ECDSA P-384
key
algorithms specified at the time of creating a CA.
Learn how to create a Private CA hierarchy with Infisical.
The first step to creating your Internal PKI is to create a Private Certificate Authority (CA) hierarchy that is a structure of entities used to issue digital certificates for services, applications, and devices.
A typical workflow for setting up a Private CA hierarchy consists of the following steps:
Note that this workflow can be executed via the Infisical UI or manually such as via API. If manually executing the workflow, you may have to create a Certificate Signing Request (CSR) for the intermediate CA, create an intermediate certificate using the root CA private key and CSR, and import the intermediate certificate back to the intermediate CA as part of Step 2.
In the following steps, we explore how to create a simple Private CA hierarchy consisting of a root CA and an intermediate CA.
Creating a root CA
To create a root CA, head to your Project > Internal PKI > Certificate Authorities and press Create CA.
Here, set the CA Type to Root and fill out details for the root CA.
Here’s some guidance on each field:
YYYY
, YYYY-MM
, YYYY-MM-DD
, YYYY-MM-DDTHH:mm:ss.sssZ
.-1
implies no limit; a path of 0
implies no intermediate CAs can be chained.RSA 2048
, RSA 4096
, ECDSA P-256
, and ECDSA P-384
with the default being RSA 2048
.The Organization, Country, State or Province Name, Locality Name, and Common Name make up the Distinguished Name (DN) or subject of the CA. At least one of these fields must be filled out.
Creating an intermediate CA
1.1. To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.
1.2. Next, press the Install Certificate option on the intermediate CA from step 1.1.
Here, set the Parent CA to the root CA created in step 1 and configure the intended Valid Until and Path Length fields on the intermediate CA; feel free to use the prefilled values.
Here’s some guidance on each field:
Finally, press Install to chain the intermediate CA to the root CA; this creates a Certificate Signing Request (CSR) for the intermediate CA, creates an intermediate certificate using the root CA private key and CSR, and imports the signed certificate back to the intermediate CA.
Great! You’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates page to learn more about how to issue X.509 certificates using the intermediate CA.
Creating a root CA
To create a root CA, head to your Project > Internal PKI > Certificate Authorities and press Create CA.
Here, set the CA Type to Root and fill out details for the root CA.
Here’s some guidance on each field:
YYYY
, YYYY-MM
, YYYY-MM-DD
, YYYY-MM-DDTHH:mm:ss.sssZ
.-1
implies no limit; a path of 0
implies no intermediate CAs can be chained.RSA 2048
, RSA 4096
, ECDSA P-256
, and ECDSA P-384
with the default being RSA 2048
.The Organization, Country, State or Province Name, Locality Name, and Common Name make up the Distinguished Name (DN) or subject of the CA. At least one of these fields must be filled out.
Creating an intermediate CA
1.1. To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.
1.2. Next, press the Install Certificate option on the intermediate CA from step 1.1.
Here, set the Parent CA to the root CA created in step 1 and configure the intended Valid Until and Path Length fields on the intermediate CA; feel free to use the prefilled values.
Here’s some guidance on each field:
Finally, press Install to chain the intermediate CA to the root CA; this creates a Certificate Signing Request (CSR) for the intermediate CA, creates an intermediate certificate using the root CA private key and CSR, and imports the signed certificate back to the intermediate CA.
Great! You’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates page to learn more about how to issue X.509 certificates using the intermediate CA.
Creating a root CA
To create a root CA, make an API request to the Create CA API endpoint, specifying the type
as root
.
By default, Infisical creates a root CA with the RSA_2048
key algorithm, validity period of 10 years, with no restrictions on path length;
you may override these defaults by specifying your own options when making the API request.
Creating an intermediate CA
2.1. To create an intermediate CA, make an API request to the Create CA API endpoint, specifying the type
as intermediate
.
2.2. Next, get a certificate signing request from the intermediate CA by making an API request to the Get CSR API endpoint.
2.3. Next, create an intermediate certificate by making an API request to the Sign Intermediate API endpoint containing the CSR from step 2.2, referencing the root CA created in step 1.
The notAfter
value must be within the validity period of the root CA that is if the root CA is valid until 2029-06-12
, the intermediate CA must be valid until a date before 2029-06-12
.
2.4. Finally, import the intermediate certificate and certificate chain from step 2.3 back to the intermediate CA by making an API request to the Import Certificate API endpoint.
Great! You’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates page to learn more about how to issue X.509 certificates using the intermediate CA.
What key algorithms are supported as part of private key generation and certificate signing?
Infisical supports RSA 2048
, RSA 4096
, ECDSA P-256
, ECDSA P-384
key
algorithms specified at the time of creating a CA.