> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-devin-1781641701-docs-github-pat-fine-grained.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Certificate Authorities

> Set up Certificate Authorities to issue certificates across your organization.

A Certificate Authority (CA) is the entity that signs and issues X.509 certificates. Before teams can issue certificates through Applications, product admins need to configure at least one CA.

Certificate Manager supports two types of CAs:

<CardGroup cols={2}>
  <Card title="Private CA" icon="lock" href="/documentation/platform/pki/ca/private-ca">
    **Managed by Infisical**

    Create root and intermediate CAs directly in Infisical. Ideal for internal services, mTLS, and private networks where public trust isn't required.
  </Card>

  <Card title="External CA" icon="building-columns" href="/documentation/platform/pki/ca/external-ca">
    **Integrated with Infisical**

    Connect to public CAs (Let's Encrypt, DigiCert) or enterprise PKI (AWS PCA, Azure ADCS, Venafi). Use existing infrastructure or issue publicly trusted certificates.
  </Card>
</CardGroup>

## Which Should I Use?

| Use Case                                             | Recommended CA                            |
| ---------------------------------------------------- | ----------------------------------------- |
| Internal services, mTLS between microservices        | Private CA                                |
| Public-facing websites needing browser trust         | External CA (Let's Encrypt, DigiCert)     |
| Enterprise with existing PKI infrastructure          | External CA (AWS PCA, Azure ADCS, Venafi) |
| IoT devices, internal device fleet                   | Private CA                                |
| Regulated environments with specific CA requirements | External CA (your approved provider)      |

## Private CA Hierarchy

When using Private CAs, you typically create a hierarchy:

```
Root CA (offline, long-lived)
└── Intermediate CA (online, issues certificates)
    └── Leaf Certificates (TLS, mTLS, devices)
```

<Info>
  Best practice: Keep your Root CA offline or with minimal usage. Create one or more Intermediate CAs to issue day-to-day certificates. This limits exposure if an Intermediate CA is compromised.
</Info>

## External CA Integrations

Infisical integrates with major public and private CA providers:

<CardGroup cols={3}>
  <Card title="Let's Encrypt" icon="lock" href="/documentation/platform/pki/ca/lets-encrypt">
    Free, automated, publicly trusted certificates.
  </Card>

  <Card title="DigiCert" icon="shield-check" href="/documentation/platform/pki/ca/digicert">
    Enterprise-grade public and private certificates.
  </Card>

  <Card title="AWS PCA" icon="aws" href="/documentation/platform/pki/ca/aws-pca">
    Private CA managed in AWS.
  </Card>

  <Card title="Azure ADCS" icon="microsoft" href="/documentation/platform/pki/ca/azure-adcs">
    Active Directory Certificate Services.
  </Card>

  <Card title="Venafi" icon="building" href="/documentation/platform/pki/ca/venafi">
    Enterprise certificate lifecycle management.
  </Card>

  <Card title="ACME CAs" icon="robot" href="/documentation/platform/pki/ca/acme-ca">
    Any ACME-compatible CA.
  </Card>
</CardGroup>

[View all External CA integrations →](/documentation/platform/pki/ca/external-ca)

## Next Steps

<Steps>
  <Step title="Create or connect a CA">
    Set up a [Private CA](/documentation/platform/pki/ca/private-ca) or connect an [External CA](/documentation/platform/pki/ca/external-ca).
  </Step>

  <Step title="Create a Certificate Policy">
    Define the rules for certificates — allowed domains, validity periods, key algorithms.

    [Certificate Policies →](/documentation/platform/pki/settings/policies)
  </Step>

  <Step title="Create a Certificate Profile">
    Combine your CA with a policy to create a reusable profile that teams can consume.

    [Certificate Profiles →](/documentation/platform/pki/settings/profiles)
  </Step>
</Steps>
