docs/documentation/platform/pki/guides/request-cert-api.mdx
import RequestCertSetup from "/snippets/documentation/platform/pki/guides/request-cert-setup.mdx";
The API enrollment method lets you programmatically request TLS and other X.509 certificates from Infisical.
This is the most flexible way to request certificates from Infisical but requires you to implement certificate request and renewal logic on your own. For a more automated way to request certificates, we highly recommend you check out the guide for requesting certificates using the Infisical Agent here.
The following sequence diagram illustrates the certificate issuance workflow for requesting a certificate via API from Infisical.
sequenceDiagram
autonumber
participant Client as Client
participant Infis as Infisical
participant CA as CA
(Internal or External)
Client->>Infis: POST /certificate
(profileId, conditional subject/SANs, ttl,
key usages, conditional CSR, etc.)
Infis->>Infis: Look up certificate profile
(by profileId)
Infis->>Infis: Validate request or CSR
against profile constraints
(CN/SAN rules, key usages, max TTL, etc.)
alt Issuer Type = Self-Signed
Infis->>Infis: Generate keypair
and self-sign certificate
else Issuer Type = CA
Infis->>CA: Request certificate issuance
(CSR)
CA-->>Infis: Signed certificate
(+ chain)
end
Infis-->>Client: Return certificate, certificate chain,
issuing CA certificate, serial number,
certificate ID
(and private key if server-generated)
OR certificate request ID if async
In the following steps, we explore an end-to-end workflow for requesting a certificate via API from Infisical.
<Steps> <RequestCertSetup /> <Step title="Create a certificate profile"> Next, follow the guide [here](/documentation/platform/pki/certificates/profiles#guide-to-creating-a-certificate-profile) to create a [certificate profile](/documentation/platform/pki/certificates/profiles) that will be referenced when requesting a certificate.The certificate profile specifies which certificate policy and issuing CA should be used to validate an incoming certificate request and issue a certificate;
it also specifies the [enrollment method](/documentation/platform/pki/enrollment-methods/overview) for how certificates can be requested against this profile
to begin with.
You should specify the certificate policy from Step 2, the issuing CA from Step 1, and the **API** option in the **Enrollment Method** dropdown when creating the certificate profile.
<Note>
Note that if you're looking to issue self-signed certificates, you should select the **Self-Signed** option in the **Issuer Type** dropdown when creating the certificate profile.
</Note>
To renew a certificate on the client-side, you have two options:
- Make a request to issue a new certificate against the same [Issue Certificate](/api-reference/endpoints/certificates/create-certificate) API endpoint.
- Make a request to the [Renew Certificate](/api-reference/endpoints/certificates/renew) API endpoint with the ID of the certificate you wish to renew. Note that this endpoint only works if the original certificate was issued through the [Issue Certificate](/api-reference/endpoints/certificates/issue-certificate) API endpoint without a CSR.
<Note>
We recommend reading the guide [here](/documentation/platform/pki/certificates/certificates#guide-to-renewing-certificates) to learn more about all the ways to renew a certificate
with Infisical including [server-driven certificate renewal](/documentation/platform/pki/certificates/certificates#server-driven-certificate-renewal).
</Note>
Note that depending on your environment and infrastructure use-case, you may wish to use a different enrollment method to request certificates.
For more automated certificate management, you may wish to request certificates using a client that can monitor expiring certificates and request renewals for you. For example, you can install the Infisical Agent on a VM and have it request and renew certificates for you or use an ACME client paired with Infisical's ACME enrollment method.