Chef Infra - Infisical

Store certificates in Chef data bags for distribution to nodes via Chef Infra. Certificates are stored as data bag items with customizable field names.

<Info> Certificate Syncs are configured per Application. First select which certificates to sync, then configure the Chef destination. </Info>

Prerequisites

A Chef Connection with the following permissions:
- data bag read
- data bag create
- data bag update
- data bag delete

<Note> Certificates are stored as data bag items with configurable field names for certificate, private key, and chain. </Note>

Create a Chef Sync

<Tabs> <Tab title="Infisical UI"> 1. In your Application, go to the **Certificate Syncs** tab and click **Create Sync**.

    2. Select the **Chef** option.

    3. Configure the **Destination**:
        - **Chef Connection**: The Chef Connection to authenticate with.
        - **Data Bag Name**: The name of the Chef data bag for storing certificates.

    4. Configure the **Sync Options**:
        - **Enable Removal of Expired/Revoked Certificates**: Remove certificates from the destination if they are no longer active.
        - **Preserve Data Bag Item on Renewal**: Update the existing data bag item on renewal instead of creating a new one.
        - **Include Root CA**: Include the Root CA certificate in the chain.
        - **Certificate Name Schema**: Customize item names using `{{certificateId}}` placeholder.
        - **Auto-Sync Enabled**: Automatically sync certificates when changes occur.

    5. Configure the **Field Mappings**:
        - **Certificate Field**: Field name for the certificate (default: `certificate`)
        - **Private Key Field**: Field name for the private key (default: `private_key`)
        - **Certificate Chain Field**: Field name for the chain (default: `certificate_chain`)
        - **CA Certificate Field**: Field name for the root CA (default: `ca_certificate`)

    <Tip>
        Certificates are stored as data bag items:
        ```json
        {
          "id": "certificate-item-name",
          "certificate": "-----BEGIN CERTIFICATE-----\n...",
          "private_key": "-----BEGIN PRIVATE KEY-----\n...",
          "certificate_chain": "-----BEGIN CERTIFICATE-----\n...",
          "ca_certificate": "-----BEGIN CERTIFICATE-----\n..."
        }
        ```
    </Tip>

    6. Configure the **Details**:
        - **Name**: The name of your sync (slug-friendly).
        - **Description**: Optional description.

    7. Select which certificates should be synced.

    8. Review and click **Create Sync**.
</Tab>
<Tab title="API">
    To create a **Chef Certificate Sync**, make an API request to the [Create Chef Certificate Sync](/api-reference/endpoints/pki/syncs/chef/create) API endpoint.

    ### Sample request

    <Note>
      You can optionally specify `certificateIds` during sync creation to immediately add certificates to the sync.
      If not provided, you can add certificates later using the certificate management endpoints.
    </Note>

    ```bash Request
    curl --request POST \
    --url https://app.infisical.com/api/v1/cert-manager/syncs/chef \
    --header 'Authorization: Bearer <access-token>' \
    --header 'Content-Type: application/json' \
    --data '{
        "name": "my-chef-cert-sync",
        "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "description": "an example certificate sync",
        "connectionId": "550e8400-e29b-41d4-a716-446655440000",
        "destination": "chef",
        "isAutoSyncEnabled": true,
        "certificateIds": [
            "550e8400-e29b-41d4-a716-446655440000",
            "660f1234-e29b-41d4-a716-446655440001"
        ],
        "syncOptions": {
            "canRemoveCertificates": true,
            "preserveSecretOnRenewal": true,
            "canImportCertificates": false,
            "includeRootCa": false,
            "certificateNameSchema": "myapp-{{certificateId}}",
            "fieldMappings": {
                "certificate": "ssl_cert",
                "privateKey": "ssl_key",
                "certificateChain": "ssl_chain",
                "caCertificate": "ssl_ca"
            }
        },
        "destinationConfig": {
            "dataBagName": "ssl_certificates"
        }
    }'
    ```

    ### Example with Default Field Mappings

    ```bash Request
    curl --request POST \
    --url https://app.infisical.com/api/v1/cert-manager/syncs/chef \
    --header 'Authorization: Bearer <access-token>' \
    --header 'Content-Type: application/json' \
    --data '{
        "name": "my-chef-cert-sync-default",
        "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "description": "Chef sync with default field mappings",
        "connectionId": "550e8400-e29b-41d4-a716-446655440000",
        "destination": "chef",
        "isAutoSyncEnabled": true,
        "syncOptions": {
            "canRemoveCertificates": true,
            "preserveSecretOnRenewal": true,
            "canImportCertificates": false,
            "includeRootCa": false,
            "certificateNameSchema": "{{commonName}}-{{certificateId}}",
            "fieldMappings": {
                "certificate": "certificate",
                "privateKey": "private_key",
                "certificateChain": "certificate_chain",
                "caCertificate": "ca_certificate"
            }
        },
        "destinationConfig": {
            "dataBagName": "certificates"
        }
    }'
    ```

    ### Sample response

    ```json Response
    {
        "pkiSync": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "name": "my-chef-cert-sync",
            "description": "an example certificate sync",
            "destination": "chef",
            "isAutoSyncEnabled": true,
            "destinationConfig": {
                "dataBagName": "ssl_certificates"
            },
            "syncOptions": {
                "canRemoveCertificates": true,
                "preserveSecretOnRenewal": true,
                "canImportCertificates": false,
                "includeRootCa": false,
                "certificateNameSchema": "myapp-{{certificateId}}",
                "fieldMappings": {
                    "certificate": "ssl_cert",
                    "privateKey": "ssl_key",
                    "certificateChain": "ssl_chain",
                    "caCertificate": "ssl_ca"
                }
            },
            "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "connectionId": "550e8400-e29b-41d4-a716-446655440000",
            "createdAt": "2023-01-01T00:00:00.000Z",
            "updatedAt": "2023-01-01T00:00:00.000Z"
        }
    }
    ```
</Tab>

</Tabs>

Certificate Management

The Chef Certificate Sync provides:

Automatic Deployment: Deploy certificates in Infisical to Chef data bags with customizable field names.
Certificate Updates: Update certificates in Chef data bags when renewals occur.
Expiration Handling: Optionally remove expired certificates from Chef data bags (if enabled).
Format Preservation: Maintain certificate format during sync operations.
Field Customization: Map certificate data to custom field names that match your Chef cookbook requirements.
CA Certificate Support: Include CA certificates in data bag items for complete certificate chain management.

<Note> Chef Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed. </Note>

Manual Certificate Sync

You can manually trigger certificate synchronization to Chef using the sync certificates functionality. This is useful for:

Initial setup when you have existing certificates to deploy
One-time sync of specific certificates
Testing certificate sync configurations
Force sync after making changes

To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.

FAQ

<Accordion title="Can I import certificates from Chef back into Infisical?"> Chef does not support importing certificates back into Infisical due to the nature of Chef data bags where certificates are stored as data rather than managed certificate objects. </Accordion>

What's Next?

<CardGroup cols={2}> <Card title="AWS Certificate Manager" icon="aws" href="/documentation/platform/pki/applications/certificate-syncs/aws-certificate-manager"> Import certificates into ACM for AWS services. </Card> <Card title="Auto-Renewal" icon="arrows-spin" href="/documentation/platform/pki/applications/certificates#server-driven-renewal"> Enable automatic certificate renewal and syncing. </Card> <Card title="Alerting" icon="bell" href="/documentation/platform/pki/applications/alerting/overview"> Get notified about certificate lifecycle events. </Card> <Card title="Other Sync Destinations" icon="arrows-rotate" href="/documentation/platform/pki/applications/certificate-syncs/overview"> View all supported sync destinations. </Card> </CardGroup>