Certificate Syncs

Push certificates from your Application to external services automatically. When paired with auto-renewal, renewed certificates are synced to their destinations — keeping your infrastructure current without manual intervention.

<Info> Certificate Syncs are configured per Application. Select which certificates to sync, then configure the destination. </Info>

How It Works

mermaid

flowchart LR
    subgraph Application
        C1[Certificate 1]
        C2[Certificate 2]
        C3[Certificate 3]
    end
    
    S[Certificate Sync]
    AC[App Connection]
    
    subgraph Destination["Destination Service"]
        D1[Certificate 1]
        D2[Certificate 2]
        D3[Certificate 3]
    end
    
    C1 --> S
    C2 --> S
    C3 --> S
    S --> AC
    AC --> D1
    AC --> D2
    AC --> D3
    
    style C1 fill:#e1f5fe,stroke:#01579b
    style C2 fill:#e1f5fe,stroke:#01579b
    style C3 fill:#e1f5fe,stroke:#01579b
    style S fill:#fff9c4,stroke:#f57f17
    style AC fill:#e8f5e9,stroke:#2e7d32
    style D1 fill:#f3e5f5,stroke:#7b1fa2
    style D2 fill:#f3e5f5,stroke:#7b1fa2
    style D3 fill:#f3e5f5,stroke:#7b1fa2

Select certificates to sync from your Application
Configure a destination using an App Connection
Certificates are pushed to the destination automatically
Renewals sync automatically when using server-side auto-renewal

<Note> Only certificates managed by Infisical are affected during sync operations. Certificates created directly in the destination service remain untouched. </Note>

Supported Destinations

<CardGroup cols={2}> <Card title="AWS Certificate Manager" icon="aws" href="/documentation/platform/pki/applications/certificate-syncs/aws-certificate-manager"> Import certificates into ACM for use with AWS services. </Card> <Card title="AWS Elastic Load Balancer" icon="aws" href="/documentation/platform/pki/applications/certificate-syncs/aws-elastic-load-balancer"> Deploy certificates directly to ALB/NLB listeners. </Card> <Card title="AWS Secrets Manager" icon="aws" href="/documentation/platform/pki/applications/certificate-syncs/aws-secrets-manager"> Store certificates as secrets for application retrieval. </Card> <Card title="Azure Key Vault" icon="microsoft" href="/documentation/platform/pki/applications/certificate-syncs/azure-key-vault"> Import certificates into Azure Key Vault. </Card> <Card title="Cloudflare" icon="cloudflare" href="/documentation/platform/pki/applications/certificate-syncs/cloudflare-custom-certificate"> Deploy custom SSL certificates to Cloudflare zones. </Card> <Card title="Chef Infra" icon="utensils" href="/documentation/platform/pki/applications/certificate-syncs/chef"> Distribute certificates via Chef data bags. </Card> <Card title="NetScaler" icon="server" href="/documentation/platform/pki/applications/certificate-syncs/netscaler"> Deploy certificates to Citrix NetScaler ADC. </Card> </CardGroup> <Note> Need a destination that isn't listed? Contact [email protected] to request it. </Note>

Creating a Certificate Sync

<Steps> <Step title="Create an App Connection"> If you haven't already, create an [App Connection](/integrations/app-connections/overview) for your destination service. This provides the credentials needed to push certificates. </Step> <Step title="Configure the sync"> In your Application, go to the **Certificate Syncs** tab and click **Create Sync**.

Configure:
- **Destination**: Select the App Connection and target endpoint
- **Certificates**: Choose which certificates to sync
- **Options**: Configure sync behavior (see below)

</Step> <Step title="Certificates are synced"> Selected certificates are immediately pushed to the destination. Future renewals sync automatically. </Step> </Steps>

Sync Options

Option	Description
Remove on expiry	Automatically remove expired certificates from the destination
Include Root CA	Include the root CA certificate in the chain
Certificate naming	Customize how certificates are named in the destination via the Certificate Name Schema (default: `Infisical-{{certificateId}}`)

<Note> Some destinations don't support automatic removal of expired certificates. Certificates managed by Infisical may be overwritten if modified directly in the destination. </Note>

Certificate Name Schema

The Certificate Name Schema controls the name each certificate is given in the destination. It is a template that supports the following placeholders, which are resolved per certificate at sync time:

<Note> - `{{certificateId}}` - The unique ID of the certificate. **Required** so that each synced certificate resolves to a unique, stable name. - `{{commonName}}` - The certificate's common name (its FQDN), e.g. `app.example.com`. - `{{profileId}}` - The certificate profile ID. Falls back to the certificate ID when the certificate has no profile. - `{{applicationId}}` - The ID of the application the sync belongs to. </Note>

For example, myapp-{{commonName}}-{{certificateId}} produces a name like myapp-app.example.com-1a2b3c....

Each destination enforces its own character and length rules for resource names:

Characters: {{commonName}} is sanitized to the destination's allowed character set. For destinations that don't allow dots (e.g. Azure Key Vault, Chef), app.example.com becomes app-example-com; destinations that allow dots (e.g. NetScaler, F5 BIG-IP) keep it as-is.
Length: schemas that would compile to a name longer than the destination's limit are rejected when you save the sync. UUID placeholders ({{certificateId}}, {{profileId}}, {{applicationId}}) each count as 32 characters.

Keep {{certificateId}} in the schema to guarantee a unique, stable name per certificate.

How It Works

Supported Destinations

Creating a Certificate Sync

Sync Options

Certificate Name Schema

What's Next?