docs/documentation/platform/pki/subscribers.mdx
In Infisical PKI, subscribers are logical representations of entities such as devices, servers, applications that request and receive certificates from Certificate Authorities (CAs).
<div align="center">graph TD
A[Issuing CA] --> C1[Certificate]
C1 --> S1[Subscriber]
A --> C2[Certificate]
C2 --> S2[Subscriber]
The typical workflow for managing subscribers consists of the following steps:
In the following steps, we explore how to issue a X.509 certificate for a subscriber.
<Steps> <Step title="Creating a subscriber"> A subscriber is the logical representation of an entity that requests and receives certificates from a CA. With a subscriber, you can specify the attributes that must be present on the X.509 certificates issued for it.Head to your Infisical PKI Project > Subscribers to create a subscriber.
The **PKI Subscriber** modal is organized into two tabs:
### Configuration Tab
This tab contains the core certificate attributes and settings:
- **Subscriber Name**: A slug-friendly name for the subscriber such as `web-service`.
- **Issuing CA**: The Certificate Authority (CA) that will issue X.509 certificates for the subscriber.
- **Common Name (CN)**: The common name to be included on certificates to be issued to the subscriber.
- **Subject Alternative Names (SANs)**: A comma-delimited list of Subject Alternative Names (SANs) to be included on certificates; these can be hostnames or email addresses like `app1.acme.com, app2.acme.com`.
- **TTL**: The lifetime of the certificate.
- **Key Usage**: The key usage extension of the certificate.
- **Extended Key Usage**: The extended key usage extension of the certificate.
### Advanced Tab
This tab contains optional advanced features:
- **Certificate Auto Renewal**: Toggle to enable automatic certificate renewal for this subscriber.
- **Renewal Before Expiry**: When auto renewal is enabled, specify how many days before certificate expiry the system should automatically issue a new certificate (e.g., 7 days).
<Note>
It's possible to issue certificates for a subscriber with or without a certificate signing request (CSR).
- If requesting without a CSR, the attributes specified on the subscriber will be used to issue a certificate for the subscriber.
- If requesting with a CSR, the attributes on it will be validated against the attributes specified on the subscriber
and a certificate is only issued if they comply.
</Note>
<Note>
When Certificate Auto Renewal is enabled, the system will automatically issue new certificates before the current ones expire, ensuring continuous certificate availability without manual intervention.
</Note>
Press on the subscriber you want to issue a certificate for and click on the **Issue Certificate** button on that subscriber's page.
In the following steps, we explore how to revoke a X.509 certificate and obtain a Certificate Revocation List (CRL) for a CA.
<Steps> <Step title="Revoking a Certificate"> Assuming that you've issued a certificate for a subscriber, you can revoke it by selecting the **Revoke Certificate** option on the certificate you wish to revoke on the subscriber's page.
To verify a certificate against the
downloaded CRL with OpenSSL, you can use the following command:
openssl verify -crl_check -CAfile chain.pem -CRLfile crl.pem cert.pem
Note that you can also obtain the CRL from the certificate itself by referencing the CRL distribution point extension on the certificate.
To check a certificate against the CRL distribution point specified within it with OpenSSL, you can use the following command:
openssl verify -verbose -crl_check -crl_download -CAfile chain.pem cert.pem
**Manual Renewal**: Issue a new certificate for the same subscriber. The original certificate will continue to be valid through its original TTL unless explicitly revoked.
**Automatic Renewal**: If Certificate Auto Renewal is enabled for the subscriber, the system will automatically issue new certificates before the current ones expire based on the configured renewal period.