feat(pki): add AWS ACM Public CA support (#6069)

* feat(pki): add AWS ACM Public CA support

Adds a new external CA type that issues, renews, and revokes public
certificates via AWS Certificate Manager with Route 53 DNS validation.

- New aws-acm-public-ca service module (client, fns, schemas, validators)
- Route 53 DNS provider for ACM CNAME validation records
- externalMetadata jsonb column on certificates (stores ARN/region)
- Issuance queue tuned for ACM: 30 attempts with fixed backoff,
  retryable validation-pending errors, final-attempt request FAIL hook
- Pre-flight validation rejects CSR, non-DNS SANs, subject fields,
  custom validity, and CA certs (ACM constraints)
- Profile service restricts ACM CAs to API enrollment
- v1/v2 list endpoints, ExternalCaModal UI, frontend types/hooks

* chore(backend): add @aws-sdk/client-acm dependency

* chore(pki): remove ACM development mock client

* fix(pki): surface AWS errors and fix ACM renewal polling

- Wrap ACM/Route 53 preflight calls in createCertificateAuthority and
  updateCertificateAuthority so IAM errors surface as BadRequestError
  with the AWS message, instead of a generic 500.
- Skip the fixed-validity TTL check on renewal — ACM sets validity itself
  and the TTL derived from the original cert can floor below 198 days.
- Require notAfter to advance before exporting a renewed cert. ACM returns
  the original cert from ExportCertificate until the renewal is fully
  re-issued, which was causing duplicate-serial insert failures.

* fix(pki): retry ACM export when renewal relation not yet ready

* chore(pki): clean up ACM extras and add docs

- Drop dead `calculateAcmRenewBeforeDays` clamp; profile schema already
  caps `renewBeforeDays` at 30, so the 198-day clamp never triggered.
- Drop the redundant `basicConstraints` plumbing for the ACM validator;
  `certificate-v3-service.ts` already blocks CA issuance for all external
  CAs upstream.
- Run pre-flight ACM input validation before the approval branch so bad
  inputs (TTL, SANs, subject fields) are rejected at submit time instead
  of after an approver has already approved.
- Use serial-number comparison to detect a renewed cert body in ACM,
  instead of relying on `NotAfter` advancement (which can lag).
- Persist `keyUsages` / `extendedKeyUsages` parsed from the issued cert
  rather than echoing the request, so DB matches what AWS actually issued.
- Add docs page covering setup, IAM, auto-renewal, troubleshooting, and
  an FAQ; wire it into docs.json under the External CAs section.

* fix(pki): make external CA revocation atomic and surface AWS errors

- Call the upstream CA revoke before updating the local cert row, so a
  failed AWS call (e.g., a reason ACM rejects) doesn't leave the cert
  marked revoked locally while still active at the issuer.
- Wrap the ACM RevokeCertificate call so AWS errors come back as a
  BadRequestError with the underlying message, instead of falling
  through to the generic "Something went wrong" 500.

* fix(pki): preserve original region on ACM renewal and hoist AWS calls out of CA update transaction

- On renewal, store the original certificate's region in externalMetadata
  instead of the CA's current region, so subsequent revoke/renew keep
  targeting the correct region-locked ARN even if the CA was edited.
- In updateCertificateAuthority, run ACM ListCertificates and Route 53
  GetHostedZone before opening the DB transaction, mirroring
  createCertificateAuthority so slow AWS calls don't pin a pool connection.

* fix(pki): derive ACM signature algorithm from issued cert

ACM picks the signature algorithm server-side and has no SigningAlgorithm
parameter on RequestCertificate, so the caller-supplied signatureAlgorithm
was being persisted without ever matching what AWS actually signed with.
Parse it from the issued cert and normalize to CertSignatureAlgorithm
before writing to the DB. Drop the now-dead parameter from the ACM
orderCertificateFromProfile signature.

* chore(pki): remove unused AwsAcmKeyAlgorithm enum

* refactor(pki): generate ACM export passphrase with nanoid customAlphabet

Uses nanoid's customAlphabet instead of manual modular sampling, matching
the pattern used elsewhere in the codebase (e.g. dynamic-secret providers).
Eliminates the modular bias where the first 8 alphabet characters appeared
slightly more frequently than the others.

* fix(ui): mark AWS Connection field as required in ACM external CA form

Matches the sibling fields (Route 53 Connection, Hosted Zone ID, Region)
which already had the required indicator.

* docs(pki): clarify ACM auto-renewal and refresh screenshots

Explain that AWS itself attempts managed renewal 45 days before expiry, and what Infisical's own auto-renewal does in that case (skip RenewCertificate if AWS already renewed, otherwise trigger it). Swap "export" wording for plainer "save"/"pull in". Add new setup screenshots.

* docs(pki): add ACM public CA API reference pages

* refactor(pki): share Route 53 helper and tidy ACM internals

- Extract Route 53 into a shared dns-providers/route53.ts reused by both
  ACME and ACM Public CA. Adds an optional comment field so ACME keeps
  its original change-history strings. The ACME delete path also now
  applies sha256=CustomAWSHasher and useFipsEndpoint consistently with
  upsert.
- Move the two ACM validation error classes into a dedicated -errors.ts
  and rename to AcmPendingError / AcmTerminalError, since they also
  cover renewal and export paths beyond the original DNS-validation
  signal.
- Replace single-character regex strips (: and -) with split/join, and
  wrap the AWS error-message match in RE2 to match the rest of the repo.

* feat(ui): pre-fill and lock TTL for ACM Public CA profiles

AWS ACM Public CA issues certificates with a fixed 198-day validity and
the backend rejects any other value. When the selected CA on a certificate
profile is AWS ACM Public CA, the TTL field now pre-fills to 198 and is
disabled, with a tooltip explaining the fixed validity.

* docs(pki): expand ACM Public CA guide and document permissions on AWS connection

- Rewrite the ACM Public CA overview to scope explicitly to public
  certificates and drop the comparison with AWS Private CA.
- Expand the enrollment-method FAQ entry to explain that only API
  enrollment applies, because EST, SCEP, and ACME all submit a CSR and
  ACM generates the private key itself.
- Add an AWS ACM Public CA accordion (ACM + Route 53 permissions) to
  both the IAM Role and IAM User sections of the AWS app connection
  docs so users can set up permissions alongside existing services.

* fix(pki): skip AWS ACM revoke for superseded certificates

When an ACM certificate is renewed, the ARN is reused for the new
certificate body and the superseded cert is no longer present at AWS.
Calling RevokeCertificate on that ARN would revoke the currently-active
renewed cert. When revoking a cert that has renewedByCertificateId set,
skip the AWS call and let the service layer mark the DB row as REVOKED
on its own — matching the pattern already used in PKI syncs for
superseded certificates.

Author: saifsmailbox98

backend/package-lock.json

@@ -140,6 +140,7 @@
   },
   "dependencies": {
     "@ai-sdk/anthropic": "^3.0.68",
+    "@aws-sdk/client-acm": "^3.1030.0",
     "@aws-sdk/client-acm-pca": "^3.992.0",
     "@aws-sdk/client-elasticache": "^3.637.0",
     "@aws-sdk/client-iam": "^3.525.0",

backend/package.json

@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasColumn = await knex.schema.hasColumn(TableName.Certificate, "externalMetadata");
+    if (!hasColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.jsonb("externalMetadata").nullable();
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "externalMetadata")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropColumn("externalMetadata");
+      });
+    }
+  }
+}

backend/src/db/migrations/20260416231234_add-external-metadata-to-certificates.ts

@@ -44,7 +44,8 @@ export const CertificatesSchema = z.object({
   isCA: z.boolean().nullable().optional(),
   pathLength: z.number().nullable().optional(),
   source: z.string().nullable().optional(),
-  discoveryMetadata: z.unknown().nullable().optional()
+  discoveryMetadata: z.unknown().nullable().optional(),
+  externalMetadata: z.unknown().nullable().optional()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/certificates.ts

@@ -2555,6 +2555,12 @@ export const CertificateAuthorities = {
       certificateAuthorityArn: `The ARN of the AWS Private Certificate Authority to use for issuing certificates.`,
       region: `The AWS region where the Private Certificate Authority is located.`
     },
+    AWS_ACM_PUBLIC_CA: {
+      appConnectionId: `The ID of the AWS App Connection to use for authenticating with AWS Certificate Manager (ACM). This connection must have permissions to request, describe, export, renew, and delete certificates.`,
+      dnsAppConnectionId: `The ID of the AWS App Connection to use for creating and managing Route 53 CNAME records required for ACM domain validation.`,
+      hostedZoneId: `The Route 53 hosted zone ID to use for ACM DNS validation CNAME records.`,
+      region: `The AWS region to use for the ACM API calls.`
+    },
     INTERNAL: {
       type: "The type of CA to create.",
       friendlyName: "A friendly name for the CA.",

backend/src/lib/api-docs/constants.ts

@@ -0,0 +1,18 @@
+import {
+  AwsAcmPublicCaCertificateAuthoritySchema,
+  CreateAwsAcmPublicCaCertificateAuthoritySchema,
+  UpdateAwsAcmPublicCaCertificateAuthoritySchema
+} from "@app/services/certificate-authority/aws-acm-public-ca/aws-acm-public-ca-certificate-authority-schemas";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+
+import { registerCertificateAuthorityEndpoints } from "./certificate-authority-endpoints";
+
+export const registerAwsAcmPublicCaCertificateAuthorityRouter = async (server: FastifyZodProvider) => {
+  registerCertificateAuthorityEndpoints({
+    caType: CaType.AWS_ACM_PUBLIC_CA,
+    server,
+    responseSchema: AwsAcmPublicCaCertificateAuthoritySchema,
+    createSchema: CreateAwsAcmPublicCaCertificateAuthoritySchema,
+    updateSchema: UpdateAwsAcmPublicCaCertificateAuthoritySchema
+  });
+};

backend/src/server/routes/v1/certificate-authority-routers/aws-acm-public-ca-certificate-authority-router.ts

@@ -6,6 +6,7 @@ import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { AcmeCertificateAuthoritySchema } from "@app/services/certificate-authority/acme/acme-certificate-authority-schemas";
+import { AwsAcmPublicCaCertificateAuthoritySchema } from "@app/services/certificate-authority/aws-acm-public-ca/aws-acm-public-ca-certificate-authority-schemas";
 import { AwsPcaCertificateAuthoritySchema } from "@app/services/certificate-authority/aws-pca/aws-pca-certificate-authority-schemas";
 import { AzureAdCsCertificateAuthoritySchema } from "@app/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-schemas";
 import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
@@ -15,7 +16,8 @@ const CertificateAuthoritySchema = z.discriminatedUnion("type", [
   InternalCertificateAuthoritySchema,
   AcmeCertificateAuthoritySchema,
   AzureAdCsCertificateAuthoritySchema,
-  AwsPcaCertificateAuthoritySchema
+  AwsPcaCertificateAuthoritySchema,
+  AwsAcmPublicCaCertificateAuthoritySchema
 ]);
 
 export const registerGeneralCertificateAuthorityRouter = async (server: FastifyZodProvider) => {
@@ -73,6 +75,14 @@ export const registerGeneralCertificateAuthorityRouter = async (server: FastifyZ
         req.permission
       );
 
+      const awsAcmPublicCas = await server.services.certificateAuthority.listCertificateAuthoritiesByProjectId(
+        {
+          projectId: req.query.projectId,
+          type: CaType.AWS_ACM_PUBLIC_CA
+        },
+        req.permission
+      );
+
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
         projectId: req.query.projectId,
@@ -83,7 +93,8 @@ export const registerGeneralCertificateAuthorityRouter = async (server: FastifyZ
               ...(internalCas ?? []).map((ca) => ca.id),
               ...(acmeCas ?? []).map((ca) => ca.id),
               ...(azureAdCsCas ?? []).map((ca) => ca.id),
-              ...(awsPcaCas ?? []).map((ca) => ca.id)
+              ...(awsPcaCas ?? []).map((ca) => ca.id),
+              ...(awsAcmPublicCas ?? []).map((ca) => ca.id)
             ]
           }
         }
@@ -94,7 +105,8 @@ export const registerGeneralCertificateAuthorityRouter = async (server: FastifyZ
           ...(internalCas ?? []),
           ...(acmeCas ?? []),
           ...(azureAdCsCas ?? []),
-          ...(awsPcaCas ?? [])
+          ...(awsPcaCas ?? []),
+          ...(awsAcmPublicCas ?? [])
         ]
       };
     }

backend/src/server/routes/v1/certificate-authority-routers/general-certificate-authority-router.ts

@@ -1,6 +1,7 @@
 import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
 
 import { registerAcmeCertificateAuthorityRouter } from "./acme-certificate-authority-router";
+import { registerAwsAcmPublicCaCertificateAuthorityRouter } from "./aws-acm-public-ca-certificate-authority-router";
 import { registerAwsPcaCertificateAuthorityRouter } from "./aws-pca-certificate-authority-router";
 import { registerAzureAdCsCertificateAuthorityRouter } from "./azure-ad-cs-certificate-authority-router";
 import { registerInternalCertificateAuthorityRouter } from "./internal-certificate-authority-router";
@@ -12,5 +13,6 @@ export const CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP: Record<CaType, (server:
     [CaType.INTERNAL]: registerInternalCertificateAuthorityRouter,
     [CaType.ACME]: registerAcmeCertificateAuthorityRouter,
     [CaType.AZURE_AD_CS]: registerAzureAdCsCertificateAuthorityRouter,
-    [CaType.AWS_PCA]: registerAwsPcaCertificateAuthorityRouter
+    [CaType.AWS_PCA]: registerAwsPcaCertificateAuthorityRouter,
+    [CaType.AWS_ACM_PUBLIC_CA]: registerAwsAcmPublicCaCertificateAuthorityRouter
   };

backend/src/server/routes/v1/certificate-authority-routers/index.ts

@@ -6,6 +6,7 @@ import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { AcmeCertificateAuthoritySchema } from "@app/services/certificate-authority/acme/acme-certificate-authority-schemas";
+import { AwsAcmPublicCaCertificateAuthoritySchema } from "@app/services/certificate-authority/aws-acm-public-ca/aws-acm-public-ca-certificate-authority-schemas";
 import { AwsPcaCertificateAuthoritySchema } from "@app/services/certificate-authority/aws-pca/aws-pca-certificate-authority-schemas";
 import { AzureAdCsCertificateAuthoritySchema } from "@app/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-schemas";
 import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
@@ -15,7 +16,8 @@ const CertificateAuthoritySchema = z.discriminatedUnion("type", [
   InternalCertificateAuthoritySchema,
   AcmeCertificateAuthoritySchema,
   AzureAdCsCertificateAuthoritySchema,
-  AwsPcaCertificateAuthoritySchema
+  AwsPcaCertificateAuthoritySchema,
+  AwsAcmPublicCaCertificateAuthoritySchema
 ]);
 
 export const registerCaRouter = async (server: FastifyZodProvider) => {
@@ -73,6 +75,14 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         req.permission
       );
 
+      const awsAcmPublicCas = await server.services.certificateAuthority.listCertificateAuthoritiesByProjectId(
+        {
+          projectId: req.query.projectId,
+          type: CaType.AWS_ACM_PUBLIC_CA
+        },
+        req.permission
+      );
+
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
         projectId: req.query.projectId,
@@ -83,7 +93,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
               ...(internalCas ?? []).map((ca) => ca.id),
               ...(acmeCas ?? []).map((ca) => ca.id),
               ...(azureAdCsCas ?? []).map((ca) => ca.id),
-              ...(awsPcaCas ?? []).map((ca) => ca.id)
+              ...(awsPcaCas ?? []).map((ca) => ca.id),
+              ...(awsAcmPublicCas ?? []).map((ca) => ca.id)
             ]
           }
         }
@@ -94,7 +105,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
           ...(internalCas ?? []),
           ...(acmeCas ?? []),
           ...(azureAdCsCas ?? []),
-          ...(awsPcaCas ?? [])
+          ...(awsPcaCas ?? []),
+          ...(awsAcmPublicCas ?? [])
         ]
       };
     }

backend/src/server/routes/v2/certificate-authority-router.ts

@@ -43,6 +43,7 @@ import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns
 import { TCertificateAuthorityDALFactory } from "../certificate-authority-dal";
 import { CaStatus, CaType } from "../certificate-authority-enums";
 import { keyAlgorithmToAlgCfg } from "../certificate-authority-fns";
+import { route53DeleteRecord, route53UpsertRecord } from "../dns-providers/route53";
 import { TExternalCertificateAuthorityDALFactory } from "../external-certificate-authority-dal";
 import { AcmeDnsProvider } from "./acme-certificate-authority-enums";
 import { AcmeCertificateAuthorityCredentialsSchema } from "./acme-certificate-authority-schemas";
@@ -54,7 +55,6 @@ import {
 import { azureDnsDeleteTxtRecord, azureDnsInsertTxtRecord } from "./dns-providers/azure-dns";
 import { cloudflareDeleteTxtRecord, cloudflareInsertTxtRecord } from "./dns-providers/cloudflare";
 import { dnsMadeEasyDeleteTxtRecord, dnsMadeEasyInsertTxtRecord } from "./dns-providers/dns-made-easy";
-import { route53DeleteTxtRecord, route53InsertTxtRecord } from "./dns-providers/route54";
 
 const validateDnsResolver = (resolver: string): void => {
   const appCfg = getConfig();
@@ -422,12 +422,13 @@ export const orderCertificate = async (
 
       switch (acmeCa.configuration.dnsProviderConfig.provider) {
         case AcmeDnsProvider.Route53: {
-          await route53InsertTxtRecord(
-            connection as TAwsConnection,
-            acmeCa.configuration.dnsProviderConfig.hostedZoneId,
-            recordName,
-            recordValue
-          );
+          await route53UpsertRecord(connection as TAwsConnection, acmeCa.configuration.dnsProviderConfig.hostedZoneId, {
+            name: recordName,
+            type: "TXT",
+            value: recordValue,
+            ttl: 30,
+            comment: "Set ACME challenge TXT record"
+          });
           break;
         }
         case AcmeDnsProvider.Cloudflare: {
@@ -478,12 +479,13 @@ export const orderCertificate = async (
 
       switch (acmeCa.configuration.dnsProviderConfig.provider) {
         case AcmeDnsProvider.Route53: {
-          await route53DeleteTxtRecord(
-            connection as TAwsConnection,
-            acmeCa.configuration.dnsProviderConfig.hostedZoneId,
-            recordName,
-            recordValue
-          );
+          await route53DeleteRecord(connection as TAwsConnection, acmeCa.configuration.dnsProviderConfig.hostedZoneId, {
+            name: recordName,
+            type: "TXT",
+            value: recordValue,
+            ttl: 30,
+            comment: "Delete ACME challenge TXT record"
+          });
           break;
         }
         case AcmeDnsProvider.Cloudflare: {