Certificate Syncs are configured per Application. Select which certificates to sync, then configure the destination.
How It Works
- Select certificates to sync from your Application
- Configure a destination using an App Connection
- Certificates are pushed to the destination automatically
- Renewals sync automatically when using server-side auto-renewal
Only certificates managed by Infisical are affected during sync operations. Certificates created directly in the destination service remain untouched.
Supported Destinations
AWS Certificate Manager
Import certificates into ACM for use with AWS services.
AWS Elastic Load Balancer
Deploy certificates directly to ALB/NLB listeners.
AWS Secrets Manager
Store certificates as secrets for application retrieval.
Azure Key Vault
Import certificates into Azure Key Vault.
Cloudflare
Deploy custom SSL certificates to Cloudflare zones.
Chef Infra
Distribute certificates via Chef data bags.
NetScaler
Deploy certificates to Citrix NetScaler ADC.
Need a destination that isn’t listed? Contact support@infisical.com to request it.
Creating a Certificate Sync
Create an App Connection
If you haven’t already, create an App Connection for your destination service. This provides the credentials needed to push certificates.
Configure the sync
In your Application, go to the Certificate Syncs tab and click Create Sync.Configure:
- Destination: Select the App Connection and target endpoint
- Certificates: Choose which certificates to sync
- Options: Configure sync behavior (see below)
Sync Options
| Option | Description |
|---|---|
| Remove on expiry | Automatically remove expired certificates from the destination |
| Include Root CA | Include the root CA certificate in the chain |
| Certificate naming | Customize how certificates are named in the destination via the Certificate Name Schema (default: Infisical-{{certificateId}}) |
Some destinations don’t support automatic removal of expired certificates. Certificates managed by Infisical may be overwritten if modified directly in the destination.
Certificate Name Schema
The Certificate Name Schema controls the name each certificate is given in the destination. It is a template that supports the following placeholders, which are resolved per certificate at sync time:{{certificateId}}- The unique ID of the certificate. Required so that each synced certificate resolves to a unique, stable name.{{commonName}}- The certificate’s common name (its FQDN), e.g.app.example.com.{{profileId}}- The certificate profile ID. Falls back to the certificate ID when the certificate has no profile.{{applicationId}}- The ID of the application the sync belongs to.
myapp-{{commonName}}-{{certificateId}} produces a name like myapp-app.example.com-1a2b3c....
Each destination enforces its own character and length rules for resource names:
- Characters:
{{commonName}}is sanitized to the destination’s allowed character set. For destinations that don’t allow dots (e.g. Azure Key Vault, Chef),app.example.combecomesapp-example-com; destinations that allow dots (e.g. NetScaler, F5 BIG-IP) keep it as-is. - Length: schemas that would compile to a name longer than the destination’s limit are rejected when you save the sync. UUID placeholders (
{{certificateId}},{{profileId}},{{applicationId}}) each count as 32 characters.
{{certificateId}} in the schema to guarantee a unique, stable name per certificate.
What’s Next?
AWS Certificate Manager
Import certificates into ACM for AWS services.
Azure Key Vault
Store certificates in Azure Key Vault.
Alerting
Get notified about certificate lifecycle events.
Managing Certificates
View and manage certificates in your Application.