docs/documentation/platform/pki/concepts/certificate-components.mdx
The following resources define how certificates are issued, shaped, and governed in Infisical:
Certificate Authority (CA): The trusted entity that issues X.509 certificates. This can be an Internal CA or an External CA in Infisical. The former represents a fully managed CA hierarchy within Infisical, while the latter represents an external CA (e.g. DigiCert, Let's Encrypt, Microsoft AD CS, etc.) that can be integrated with Infisical.
Certificate Policy: A policy structure specifying permitted attributes for requested certificates. This includes constraints around subject naming conventions, SAN fields, key usages, and extended key usages.
Certificate Profile: A reusable template that combines a CA with a certificate policy and sensible defaults. Profiles define what certificates look like — the issuing CA, validation rules, and default values for fields like TTL and key algorithm.
Application: The core entity where teams issue and manage certificates. Product admins attach profiles to Applications and assign members. Application admins then configure enrollment methods (API, ACME, EST, SCEP) for each attached profile.
Certificate: The actual X.509 certificate issued through an Application. Once created, it is tracked in Infisical's certificate inventory for management, renewal, and lifecycle operations.