Skip to main content
The API enrollment method supports issuing certificates using a Certificate Signing Request (CSR). This allows you to manage your own private key externally while having Infisical sign the certificate.

When to Use CSR-Based Issuance

CSR-based certificate issuance is recommended when:
  • You need to maintain control of your private key
  • Your security policy requires keys to be generated on the target system
  • You’re integrating with Hardware Security Modules (HSMs)
  • You want to use a specific key that already exists
  • You’re working with systems that generate their own CSRs (e.g., load balancers, network appliances)

Generating a CSR

Prior to requesting a certificate, a Certificate Signing Request (CSR) must be generated. While multiple tools and workflows are available, the example below illustrates how to generate a CSR using OpenSSL.

Generate a New Key and CSR

# Generate a new RSA private key and CSR
openssl req -new -newkey rsa:2048 -nodes \
  -keyout private.key \
  -out request.csr \
  -subj "/CN=service.example.com/O=My Organization/C=US"

Generate CSR from Existing Key

# Generate CSR from an existing private key
openssl req -new -key private.key -out request.csr \
  -subj "/CN=service.example.com"

Generate CSR with Subject Alternative Names

# Generate CSR with SANs
openssl req -new -newkey rsa:2048 -nodes \
  -keyout private.key \
  -out request.csr \
  -subj "/CN=service.example.com" \
  -addext "subjectAltName=DNS:service.example.com,DNS:www.service.example.com,IP:192.168.1.1"

Generate CSR with ECDSA Key

# Generate ECDSA P-256 key and CSR
openssl ecparam -genkey -name prime256v1 -out private.key
openssl req -new -key private.key -out request.csr \
  -subj "/CN=service.example.com"

Verify Your CSR

Before submitting, verify your CSR contents: 
openssl req -in request.csr -noout -text

CSR Format Requirements

Your CSR must meet the following requirements:
  • Format: PEM-encoded PKCS#10 Certificate Signing Request
  • Required header: -----BEGIN CERTIFICATE REQUEST-----
  • Required footer: -----END CERTIFICATE REQUEST-----

Supported Key Algorithms

AlgorithmSupported Sizes/Curves
RSA2048, 3072, 4096 bits
ECDSAP-256, P-384, P-521

Supported Signature Algorithms

Key TypeSupported Hash Algorithms
RSASHA-256, SHA-384, SHA-512
ECDSASHA-256, SHA-384, SHA-512

Guide

1

Configure a Certificate Authority

Before you can issue any certificate, you must first configure a Certificate Authority (CA).The CA you configure will be used to issue the certificate back to your client; it can be either Internal or External:
  • Internal CA: If you’re building your own PKI and wish to issue certificates for internal use, you should follow the guide here to create at minimum a root CA and an intermediate/issuing CA within Infisical.
  • External CA: If you have existing PKI infrastructure or wish to connect to a public CA (e.g. Let’s Encrypt, DigiCert, etc.) to issue TLS certificates, you should follow the documentation here to configure an External CA.
Note that if you’re looking to issue self-signed certificates, you can skip this step and proceed to Step 3.
2

Create a certificate policy

Next, follow the guide here to create a certificate policy.The certificate policy will constrain what attributes may or may not be allowed in the request to issue a certificate. For example, you can specify that the requested common name must adhere to a specific format like *.acme.com and that the maximum TTL cannot exceed 1 year.If you’re looking to issue TLS server certificates, you should select the TLS Server Certificate option under the Policy Preset dropdown.
3

Create a certificate profile

Next, follow the guide here to create a certificate profile that will be referenced when requesting a certificate.The certificate profile specifies which certificate policy and issuing CA should be used to validate an incoming certificate request and issue a certificate. You should specify the certificate policy from Step 2, the issuing CA from Step 1, and the API option in the Enrollment Method dropdown when creating the certificate profile.
CSR-based issuance requires a Certificate Authority. Self-signed certificates are not supported when using a CSR.
4

Issue a certificate with your CSR

To issue a certificate using your CSR, navigate to your Project > Certificates > Certificate Requests and click Request.pki certificatesSelect CSR (Certificate Signing Request) as the Request Method, then choose your certificate profile.pki certificate issue modalPaste your PEM-encoded CSR into the text area and specify the TTL for the certificate.pki certificate issue modal csr
When using a CSR, the subject attributes, subject alternative names, and key algorithm are extracted from your CSR. You only need to specify the TTL for the certificate.
Your CSR must comply with the certificate policy attached to the profile. The policy validates subject attributes, SANs, key algorithms, signature algorithms, key usages, and basic constraints. If your CSR doesn’t comply with the policy, you’ll receive an error message indicating which constraint was violated.

FAQ

Use Managed (recommended for most cases) when:
  • You want Infisical to handle key generation and storage
  • You need server-side auto-renewal capabilities
  • You’re deploying certificates via certificate syncs to cloud providers
  • You want the simplest setup with minimal configuration
  • You don’t have specific requirements for key custody
Use CSR when:
  • Your security policy requires private keys to be generated on the target system
  • You’re using a Hardware Security Module (HSM) that generates and stores keys
  • You need to reuse an existing private key
  • You have compliance requirements that mandate key generation in a specific location
  • You’re integrating with systems that generate their own CSRs (e.g., load balancers, appliances)
Certificates issued via CSR are not eligible for server-side auto-renewal since Infisical doesn’t have access to the private key. You’ll need to handle renewal by generating a new CSR and requesting a new certificate.
Certificates issued via CSR cannot be automatically renewed by Infisical since the private key is managed externally. To renew:
  1. Generate a new CSR using your existing private key (or generate a new key pair if desired)
  2. Request a new certificate using the new CSR
  3. Deploy the new certificate before the old one expires
# Generate a new CSR with your existing key
openssl req -new -key private.key -out request.csr \
  -subj "/CN=service.example.com"
Set up alerts for certificate expiration to ensure timely renewal.
Error: “CSR cannot be empty” or invalid format errorSolution: Ensure your CSR:
  • Starts with -----BEGIN CERTIFICATE REQUEST-----
  • Ends with -----END CERTIFICATE REQUEST-----
  • Contains valid base64-encoded content
The UI accepts multiline PEM format directly—you can paste your CSR as-is from the file without any formatting changes.Verify your CSR is valid:
openssl req -in request.csr -noout -text
Solution: When sending CSR via API JSON:
  • Replace actual newlines with \n in the JSON string
  • Include full PEM headers and footers
  • Ensure proper JSON escaping
Example format:
{
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC...base64content...\n-----END CERTIFICATE REQUEST-----"
}
Policy validation errors occur when your CSR doesn’t comply with the certificate policy attached to the profile. Common errors include:
  • Subject attributes: “Missing required attribute” or ” value does not match allowed patterns”
  • Subject Alternative Names: ” SAN is not allowed by template policy” or “Required SAN not found”
  • Key algorithm: “Key algorithm is not allowed by template policy”
  • Signature algorithm: “Signature algorithm is not allowed by template policy”
Solution:
  1. Review your certificate policy configuration in Project > Certificates > Certificate Policies
  2. Ensure your CSR includes all required attributes and SANs
  3. Ensure values match allowed patterns configured in the policy
  4. Verify your key algorithm is in the policy’s allowed list (common options: RSA_2048, RSA_4096, ECDSA_P256, ECDSA_P384)
Example generating a CSR with full subject and SANs:
openssl req -new -key key.pem -out request.csr \
  -subj "/CN=service.example.com/O=My Organization/OU=Engineering/C=US/ST=California/L=San Francisco" \
  -addext "subjectAltName=DNS:service.example.com,DNS:api.example.com"
Error: “Self-signed certificates are not supported for CSR signing”Solution: CSR-based issuance requires a Certificate Authority to sign the certificate.