ContextQMD
Back to Infisical

Certificate Lifecycle

docs/documentation/platform/pki/concepts/certificate-lifecycle.mdx

0.159.255.2 KB
Original Source

Certificate Lifecycle

Typically, a certificate goes through a series of stages during its lifetime from creation to retirement. This is called the certificate lifecycle. The exact names of these stages may vary from vendor to vendor, but they typically include discovery, enrollment, deployment, renewal, revocation, and retirement.

Note that not every stage is needed. For instance:

  • You are not required to discover certificates in order to start issuing and managing them.
  • You may not need to revoke a certificate explicitly if it expires naturally and is replaced during routine renewal.

Discovery

Certificate discovery is the process of identifying all active and inactive certificates across an environment, including those found on web servers, load balancers, services, and devices. A complete inventory prevents outages from forgotten certificates and creates the foundation for automation and monitoring.

Enrollment (Request / Issuance)

Certificate enrollment is the process of requesting a certificate from a CA and can follow different approaches depending on the system or protocol in use.

Common approaches to certificate enrollment include:

  • CSR-based enrollment: The client generates a key pair locally and submits a Certificate Signing Request (CSR) to a CA for certificate issuance.
  • CSR-less enrollment: The client requests a certificate directly from a CA which may handle key generation internally and return the key pair in the response.

Enrollment can be manually completed via API or fully automated using protocols like EST or ACME. The choice of enrollment method depends on security requirements, operational constraints, and integration context.

Approval

Certificate approval is an optional workflow that adds a human review step before certificates are issued. When an approval policy is configured for a certificate profile, certificate requests are placed in a pending state until the required approvers review and approve them.

Approval workflows help organizations:

  • Enforce separation of duties between certificate requesters and approvers
  • Add oversight for certificates issued to sensitive domains or systems
  • Meet compliance requirements that mandate review before certificate issuance
  • Prevent unauthorized certificate issuance

Approval policies can be configured with multiple sequential steps, each requiring a specified number of approvals from designated users or groups. Machine identities can optionally bypass approval when automated certificate issuance is required for workloads.

Once all approval steps are completed, the certificate is automatically issued and made available to the requester. If rejected, the request is closed and no certificate is issued.

Deployment

Certificate deployment involves installing the issued certificate on the appropriate systems and services, such as web servers, load balancers, or internal endpoints. It can also include distributing or synchronizing certificates to external systems like cloud key stores (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) so they can be securely consumed by workloads running in the cloud.

Deployment can happen manually or through automated mechanisms such as configuration pipelines, agents, or webhook integrations.

Renewal

Certificate renewal is the process of requesting a new certificate from a CA before it expires to maintain trust and availability; this process can involve reusing the same key pair or rotating to a new one.

The renewal process can be server-driven or client-driven:

  • Server-driven: Infisical automatically renews the certificate on your behalf. The renewed certificate is stored in the platform and can be synchronized to external systems such as cloud key stores.
  • Client-driven: An external client, such as an agent or workload, initiates the renewal against Infisical. This is useful when key material needs to remain under client control or when rotation is tied to application-specific logic.

This flexibility allows certificates to be renewed in a way that aligns with different security, automation, and infrastructure models.

Revocation

Certificate revocation is the process of invalidating a certificate to prevent it from being used. This is required when a certificate is compromised, misconfigured, or no longer needed. The CA signals this status to clients through CRLs or OCSP. A new certificate can be issued and deployed if needed.

Retirement

Certificate retirement is the process of removing a certificate from the system. This is typically done when a certificate is no longer needed or has expired.