cli/certificate-agent-config.yaml at main · Infisical/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
version: v1

infisical:
  address: "https://app.infisical.com/"

auth:
  type: "universal-auth"
  config:
    client-id: "./client-id"
    client-secret: "./client-secret"
    remove_client_secret_on_read: false

certificates:
  # Issue a new certificate from a profile
  - profile-name: "my-profile-name"
    project-slug: "my-project-slug"

    # Certificate parameters
    attributes:
      common-name: "api.mycompany.com"
      alt-names:
        - "www.api.mycompany.com"
        - "internal-api.mycompany.com"
      key-algorithm: "RSA_2048"
      signature-algorithm: "RSA-SHA256"
      key-usages:
        - "digital_signature"
        - "key_encipherment"
      extended-key-usages:
        - "server_auth"
      ttl: "30d"
    lifecycle:
      renew-before-expiry: "1d" # When to start checking for renewal before expiration
      status-check-interval: "6h" # How often to check certificate status and renewal needs

    # Post-hooks for automation
    post-hooks:
      on-issuance:
        command: "systemctl reload nginx"
        timeout: 30
      on-renewal:
        command: "systemctl reload nginx"
        timeout: 30
      on-failure:
        command: "logger 'Certificate failed for api.mycompany.com'"
        timeout: 10

    file-output:
      private-key:
        path: "./certs/web-server/private.key"
        permission: "0600"
      certificate:
        path: "./certs/web-server/certificate.crt"
        permission: "0644"
      chain:
        path: "./certs/web-server/chain.crt"
        permission: "0644"
        omit-root: true

  # Fetch an existing certificate by ID. Skips issuance entirely.
  # If private-key.path is configured but the certificate has no private key
  # (e.g. ACME-issued), a warning is logged and the file is skipped.
  # - certificate-id: "00000000-0000-0000-0000-000000000000"
  #   lifecycle:
  #     status-check-interval: "6h"
  #   file-output:
  #     certificate:
  #       path: "./certs/existing/certificate.crt"
  #       permission: "0644"
  #     chain:
  #       path: "./certs/existing/chain.crt"
  #       permission: "0644"
  #     private-key:
  #       path: "./certs/existing/private.key"
  #       permission: "0600"