Overview

Certificate Syncs enable you to push certificates from Infisical to third-party services using App Connections.

Concept

Certificate Syncs are a project-level resource used to push certificates, via an App Connection, from Infisical to a third-party service (destination). When paired with server-side auto-renewal, renewed certificates are automatically synced to the destination, ensuring your certificates stay current.

```mermaid
%%{init: {'flowchart': {'curve': 'linear'} } }%%
graph LR
A[App Connection]
B[Certificate Sync]
C[Certificate 1]
D[Certificate 2]
E[Certificate 3]
F[Third-Party Service]
G[Certificate 1]
H[Certificate 2]
I[Certificate 3]

B --> A
C --> B
D --> B
E --> B
A --> F
F --> G
F --> H
F --> I

classDef default fill:#ffffff,stroke:#666,stroke-width:2px,rx:10px,color:black
classDef connection fill:#FFF2B2,stroke:#E6C34A,stroke-width:2px,color:black,rx:15px
classDef certificate fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
classDef sync fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
classDef service fill:#E6E6FF,stroke:#6B4E96,stroke-width:2px,color:black,rx:15px
classDef subscriber fill:#FFE6E6,stroke:#D63F3F,stroke-width:2px,color:black,rx:15px

class A connection
class B sync
class C,D,E,G,H,I certificate
class F service
class J subscriber
```

Workflow

Configuring a Certificate Sync requires three components: The certificates that you'd like to push, a <strong>destination</strong> endpoint to deploy certificates to, and <strong>configuration options</strong> to determine how your certificates should be synced. Follow these steps to start syncing:

1. <strong>Create App Connection:</strong> If you have not already done so, create an App Connection via the UI or API for the third-party service you intend to sync certificates to.

2. <strong>Create Certificate Sync:</strong> Configure a Certificate Sync in the desired project by specifying the following parameters via the UI or API:

   • <strong>Destination:</strong> The App Connection to utilize and the destination endpoint to deploy certificates to such as AWS Certificate Manager, Azure Key Vault, or Cloudflare Custom Certificate.
   • <strong>Certificates:</strong> The certificates you wish to push to the destination.
   • <strong>Options:</strong> Customize how certificates should be synced, including:
     • Whether certificates should be removed from the destination when they expire.
     • Whether to include the Root CA certificate in the certificate chain.
     • Certificate naming schema to control how certificate names are generated in the destination.

3. <strong>Utilize Sync:</strong> Selected certificates will now be pushed to the destination endpoint and automatically redeployed whenever they are renewed.

Certificate Naming

Certificate Syncs support flexible certificate naming through configurable naming schemas. This allows you to customize how certificate names appear in your destination services.

Default Naming

By default, certificates are named using the pattern Infisical-{certificateId} where {certificateId} is the unique identifier of the certificate with hyphens removed for compatibility with services like Azure Key Vault.

Custom Naming Schema

You can customize certificate naming by providing a Certificate Name Schema when creating or updating a Certificate Sync. The schema supports the following placeholders:

• {{certificateId}} - The unique certificate identifier (required)

Examples:

• myapp-{{certificateId}} → myapp-abc123def456
• ssl/{{certificateId}} → ssl/abc123def456

Rules:

• Must include exactly one {{certificateId}} placeholder
• Only alphanumeric characters, dashes (-), underscores (_), and slashes (/) are allowed
• Certificate names matching your schema will be managed by Infisical during sync operations