Add Get-InfisicalCertificatePolicy cmdlet

Covers GET /api/v1/cert-manager/certificate-policies (List default with optional -Limit, -Offset) and GET /api/v1/cert-manager/certificate-policies/{certificatePolicyId} (ById). New InfisicalCertificatePolicy model surfaces subject, SANs, key usages, extended key usages, algorithms, and validity. Polymorphic string-or-array fields (allowed/required/keyAlgorithm) are normalized to arrays; sans is normalized whether the API returns an object or an array. Manifest, build expected list, and MAML help updated.

CHANGELOG.md

@@ -8,6 +8,7 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) loos
 
 - Infisical API error responses are now parsed to surface the server-side `message`, `error`, and `reqId` fields. The 4xx/5xx exception message includes the human-readable explanation (e.g. "The project is of type secret-manager") instead of an opaque `Infisical API returned 400 (Bad Request)`. The `InfisicalApiException` gains `ApiErrorMessage` and `ApiRequestId` properties; `InfisicalErrorDetails` carries the same fields so PowerShell error records and logger output expose them.
 - `Get-InfisicalCertificateProfile` added with `List` (default) and `ById` parameter sets. List binds to `GET /api/v1/cert-manager/certificate-profiles` (optional `-Limit`, `-Offset`, `-IncludeConfigs`); ById binds to `GET /api/v1/cert-manager/certificate-profiles/{certificateProfileId}`. New `InfisicalCertificateProfile` model surfaces ca/policy ids, slug, enrollment type, per-profile defaults (ttl, key/extended key usages), and the embedded CA/policy/apiConfig summaries.
+- `Get-InfisicalCertificatePolicy` added with `List` (default) and `ById` parameter sets. List binds to `GET /api/v1/cert-manager/certificate-policies` (optional `-Limit`, `-Offset`); ById binds to `GET /api/v1/cert-manager/certificate-policies/{certificatePolicyId}`. New `InfisicalCertificatePolicy` model surfaces subject, SANs, key usages, extended key usages, algorithms, and validity. Polymorphic string-or-array fields (`allowed`, `required`, `keyAlgorithm`) are normalized to arrays; `sans` is normalized whether the API returns an object or an array.
 
 ## 2026.06.04.1920
 

Module/PSInfisicalAPI/en-US/PSInfisicalAPI.dll-Help.xml

@@ -1170,6 +1170,48 @@ $GetInfisicalCertificateProfileResult = Get-InfisicalCertificateProfile @GetInfi
     </command:examples>
   </command:command>
 
+  <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10">
+    <command:details>
+      <command:name>Get-InfisicalCertificatePolicy</command:name>
+      <maml:description><maml:para>Lists or retrieves Infisical certificate policies in a project.</maml:para></maml:description>
+      <command:verb>Get</command:verb>
+      <command:noun>InfisicalCertificatePolicy</command:noun>
+    </command:details>
+    <maml:description>
+      <maml:para>Default (List parameter set) returns every certificate policy configured on the project via /api/v1/cert-manager/certificate-policies, with optional -Limit and -Offset. When -PolicyId is supplied (ById parameter set) the cmdlet returns one policy by its id. -ProjectId defaults to the session-pinned project in both modes.</maml:para>
+    </maml:description>
+    <maml:alertSet>
+      <maml:title>Notes</maml:title>
+      <maml:alert>
+        <maml:para>Policies define the allowed/required subject, SANs, key usages, extended key usages, key algorithms, signature algorithm, and validity windows that certificate profiles enforce. Each profile binds exactly one policy via its CertificatePolicyId.</maml:para>
+      </maml:alert>
+    </maml:alertSet>
+    <command:examples>
+      <command:example>
+        <maml:title>EXAMPLE 1</maml:title>
+        <dev:code>Get-InfisicalCertificatePolicy</dev:code>
+        <dev:remarks><maml:para>Lists every certificate policy defined on the session-pinned project.</maml:para></dev:remarks>
+      </command:example>
+      <command:example>
+        <maml:title>EXAMPLE 2</maml:title>
+        <dev:code>Get-InfisicalCertificatePolicy -PolicyId '3e69306a-e7c1-4fd2-a140-7fb300e53c43'</dev:code>
+        <dev:remarks><maml:para>Retrieves a single certificate policy by id from the session-pinned project.</maml:para></dev:remarks>
+      </command:example>
+      <command:example>
+        <maml:title>EXAMPLE 3</maml:title>
+        <dev:code>$GetInfisicalCertificatePolicyListResult = Get-InfisicalCertificatePolicy | Where-Object { $_.Name -ieq 'codesigning' }
+
+$GetInfisicalCertificatePolicyParameters = New-Object -TypeName 'System.Collections.Specialized.OrderedDictionary' -ArgumentList ([System.StringComparer]::OrdinalIgnoreCase)
+$GetInfisicalCertificatePolicyParameters.PolicyId  = $GetInfisicalCertificatePolicyListResult[0].Id
+$GetInfisicalCertificatePolicyParameters.ProjectId = $ConnectInfisicalParameters.ProjectId
+$GetInfisicalCertificatePolicyParameters.Verbose   = $True
+
+$GetInfisicalCertificatePolicyResult = Get-InfisicalCertificatePolicy @GetInfisicalCertificatePolicyParameters</dev:code>
+        <dev:remarks><maml:para>Filters policies whose name equals 'codesigning' and refetches the canonical record for the first match using a splatted parameter set.</maml:para></dev:remarks>
+      </command:example>
+    </command:examples>
+  </command:command>
+
   <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10">
     <command:details>
       <command:name>Search-InfisicalCertificate</command:name>

build.ps1

@@ -132,6 +132,7 @@ function Write-Manifest {
         'Get-InfisicalCertificateAuthority',
         'Get-InfisicalPkiSubscriber',
         'Get-InfisicalCertificateProfile',
+        'Get-InfisicalCertificatePolicy',
         'Get-InfisicalCertificate',
         'Search-InfisicalCertificate',
         'Request-InfisicalCertificate',
@@ -203,7 +204,7 @@ if (`$cmds.Count -eq 0) {
     throw "No cmdlets were exported by the PSInfisicalAPI module."
 }
 
-`$expectedCmds = @('Connect-Infisical','Disconnect-Infisical','Get-InfisicalSecret','New-InfisicalSecret','Update-InfisicalSecret','Remove-InfisicalSecret','Copy-InfisicalSecret','ConvertTo-InfisicalSecretDictionary','Export-InfisicalSecrets','Get-InfisicalProject','New-InfisicalProject','Update-InfisicalProject','Remove-InfisicalProject','Get-InfisicalEnvironment','New-InfisicalEnvironment','Update-InfisicalEnvironment','Remove-InfisicalEnvironment','Get-InfisicalFolder','New-InfisicalFolder','Update-InfisicalFolder','Remove-InfisicalFolder','Get-InfisicalTag','New-InfisicalTag','Update-InfisicalTag','Remove-InfisicalTag','Get-InfisicalCertificateAuthority','Get-InfisicalPkiSubscriber','Get-InfisicalCertificateProfile','Get-InfisicalCertificate','Search-InfisicalCertificate','Request-InfisicalCertificate','ConvertTo-InfisicalCertificate','Install-InfisicalCertificate','Uninstall-InfisicalCertificate','Export-InfisicalCertificate')
+`$expectedCmds = @('Connect-Infisical','Disconnect-Infisical','Get-InfisicalSecret','New-InfisicalSecret','Update-InfisicalSecret','Remove-InfisicalSecret','Copy-InfisicalSecret','ConvertTo-InfisicalSecretDictionary','Export-InfisicalSecrets','Get-InfisicalProject','New-InfisicalProject','Update-InfisicalProject','Remove-InfisicalProject','Get-InfisicalEnvironment','New-InfisicalEnvironment','Update-InfisicalEnvironment','Remove-InfisicalEnvironment','Get-InfisicalFolder','New-InfisicalFolder','Update-InfisicalFolder','Remove-InfisicalFolder','Get-InfisicalTag','New-InfisicalTag','Update-InfisicalTag','Remove-InfisicalTag','Get-InfisicalCertificateAuthority','Get-InfisicalPkiSubscriber','Get-InfisicalCertificateProfile','Get-InfisicalCertificatePolicy','Get-InfisicalCertificate','Search-InfisicalCertificate','Request-InfisicalCertificate','ConvertTo-InfisicalCertificate','Install-InfisicalCertificate','Uninstall-InfisicalCertificate','Export-InfisicalCertificate')
 foreach (`$expected in `$expectedCmds) {
     if (-not (Get-Command -Name `$expected -Module PSInfisicalAPI -ErrorAction SilentlyContinue)) {
         throw "Cmdlet not found: `$expected"

src/PSInfisicalAPI/Cmdlets/GetInfisicalCertificatePolicyCmdlet.cs

@@ -0,0 +1,54 @@
+using System;
+using System.Management.Automation;
+using PSInfisicalAPI.Connections;
+using PSInfisicalAPI.Models;
+using PSInfisicalAPI.Pki;
+
+namespace PSInfisicalAPI.Cmdlets
+{
+    [Cmdlet(VerbsCommon.Get, "InfisicalCertificatePolicy", DefaultParameterSetName = "List")]
+    [OutputType(typeof(InfisicalCertificatePolicy))]
+    public sealed class GetInfisicalCertificatePolicyCmdlet : InfisicalCmdletBase
+    {
+        [Parameter(ParameterSetName = "ById", Mandatory = true, Position = 0, ValueFromPipelineByPropertyName = true)]
+        [Alias("Id", "CertificatePolicyId")]
+        public string PolicyId { get; set; }
+
+        [Parameter] public string ProjectId { get; set; }
+
+        [Parameter(ParameterSetName = "List")] public int? Limit { get; set; }
+
+        [Parameter(ParameterSetName = "List")] public int? Offset { get; set; }
+
+        protected override void ProcessRecord()
+        {
+            try
+            {
+                InfisicalConnection connection = InfisicalSessionManager.RequireCurrent();
+                InfisicalPkiClient client = new InfisicalPkiClient(HttpClient, Logger);
+                string resolvedProjectId = ResolveProjectId(connection, ProjectId);
+
+                if (string.Equals(ParameterSetName, "ById", StringComparison.Ordinal))
+                {
+                    InfisicalCertificatePolicy policy = client.GetCertificatePolicy(connection, PolicyId, resolvedProjectId);
+                    if (policy != null)
+                    {
+                        WriteObject(policy);
+                    }
+
+                    return;
+                }
+
+                InfisicalCertificatePolicy[] all = client.ListCertificatePolicies(connection, resolvedProjectId, Limit, Offset);
+                foreach (InfisicalCertificatePolicy policy in all)
+                {
+                    WriteObject(policy);
+                }
+            }
+            catch (Exception exception)
+            {
+                ThrowTerminatingForException("GetInfisicalCertificatePolicyCmdlet", "GetCertificatePolicy", exception);
+            }
+        }
+    }
+}

src/PSInfisicalAPI/Endpoints/InfisicalEndpointNames.cs

@@ -57,5 +57,8 @@ namespace PSInfisicalAPI.Endpoints
 
         public const string ListCertificateProfiles = "ListCertificateProfiles";
         public const string GetCertificateProfile = "GetCertificateProfile";
+
+        public const string ListCertificatePolicies = "ListCertificatePolicies";
+        public const string GetCertificatePolicy = "GetCertificatePolicy";
     }
 }

src/PSInfisicalAPI/Endpoints/InfisicalEndpointRegistry.cs

@@ -662,6 +662,26 @@ namespace PSInfisicalAPI.Endpoints
                 Template = "/api/v1/cert-manager/certificate-profiles/{certificateProfileId}",
                 RequiresAuthorization = true
             });
+
+            Add(map, new InfisicalEndpointDefinition
+            {
+                Name = InfisicalEndpointNames.ListCertificatePolicies,
+                Resource = "Pki",
+                Version = "v1",
+                Method = "GET",
+                Template = "/api/v1/cert-manager/certificate-policies",
+                RequiresAuthorization = true
+            });
+
+            Add(map, new InfisicalEndpointDefinition
+            {
+                Name = InfisicalEndpointNames.GetCertificatePolicy,
+                Resource = "Pki",
+                Version = "v1",
+                Method = "GET",
+                Template = "/api/v1/cert-manager/certificate-policies/{certificatePolicyId}",
+                RequiresAuthorization = true
+            });
         }
 
         public static InfisicalEndpointDefinition Get(string name)

src/PSInfisicalAPI/Models/InfisicalCertificatePolicy.cs

@@ -0,0 +1,50 @@
+using System;
+
+namespace PSInfisicalAPI.Models
+{
+    public sealed class InfisicalCertificatePolicy
+    {
+        public string Id { get; set; }
+        public string ProjectId { get; set; }
+        public string Name { get; set; }
+        public string Description { get; set; }
+        public InfisicalCertificatePolicySubject Subject { get; set; }
+        public InfisicalCertificatePolicySan[] Sans { get; set; }
+        public InfisicalCertificatePolicyUsages KeyUsages { get; set; }
+        public InfisicalCertificatePolicyUsages ExtendedKeyUsages { get; set; }
+        public InfisicalCertificatePolicyAlgorithms Algorithms { get; set; }
+        public InfisicalCertificatePolicyValidity Validity { get; set; }
+        public DateTimeOffset? CreatedAtUtc { get; set; }
+        public DateTimeOffset? UpdatedAtUtc { get; set; }
+    }
+
+    public sealed class InfisicalCertificatePolicySubject
+    {
+        public string Type { get; set; }
+        public string[] Allowed { get; set; }
+    }
+
+    public sealed class InfisicalCertificatePolicySan
+    {
+        public string Type { get; set; }
+        public string[] Allowed { get; set; }
+        public string[] Required { get; set; }
+    }
+
+    public sealed class InfisicalCertificatePolicyUsages
+    {
+        public string[] Allowed { get; set; }
+        public string[] Required { get; set; }
+    }
+
+    public sealed class InfisicalCertificatePolicyAlgorithms
+    {
+        public string Signature { get; set; }
+        public string[] KeyAlgorithms { get; set; }
+    }
+
+    public sealed class InfisicalCertificatePolicyValidity
+    {
+        public string Max { get; set; }
+    }
+}

src/PSInfisicalAPI/Pki/InfisicalCertificatePolicyDtos.cs

@@ -0,0 +1,58 @@
+using System.Collections.Generic;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+
+namespace PSInfisicalAPI.Pki
+{
+    internal sealed class InfisicalCertificatePolicyResponseDto
+    {
+        [JsonProperty("id")] public string Id { get; set; }
+        [JsonProperty("projectId")] public string ProjectId { get; set; }
+        [JsonProperty("name")] public string Name { get; set; }
+        [JsonProperty("description")] public string Description { get; set; }
+        [JsonProperty("subject")] public InfisicalCertificatePolicySubjectDto Subject { get; set; }
+        [JsonProperty("sans")] public JToken SansRaw { get; set; }
+        [JsonProperty("keyUsages")] public InfisicalCertificatePolicyUsagesDto KeyUsages { get; set; }
+        [JsonProperty("extendedKeyUsages")] public InfisicalCertificatePolicyUsagesDto ExtendedKeyUsages { get; set; }
+        [JsonProperty("algorithms")] public InfisicalCertificatePolicyAlgorithmsDto Algorithms { get; set; }
+        [JsonProperty("validity")] public InfisicalCertificatePolicyValidityDto Validity { get; set; }
+        [JsonProperty("createdAt")] public string CreatedAt { get; set; }
+        [JsonProperty("updatedAt")] public string UpdatedAt { get; set; }
+    }
+
+    internal sealed class InfisicalCertificatePolicySubjectDto
+    {
+        [JsonProperty("type")] public string Type { get; set; }
+        [JsonProperty("allowed")] public JToken AllowedRaw { get; set; }
+    }
+
+    internal sealed class InfisicalCertificatePolicySanDto
+    {
+        [JsonProperty("type")] public string Type { get; set; }
+        [JsonProperty("allowed")] public JToken AllowedRaw { get; set; }
+        [JsonProperty("required")] public JToken RequiredRaw { get; set; }
+    }
+
+    internal sealed class InfisicalCertificatePolicyUsagesDto
+    {
+        [JsonProperty("allowed")] public JToken AllowedRaw { get; set; }
+        [JsonProperty("required")] public JToken RequiredRaw { get; set; }
+    }
+
+    internal sealed class InfisicalCertificatePolicyAlgorithmsDto
+    {
+        [JsonProperty("signature")] public string Signature { get; set; }
+        [JsonProperty("keyAlgorithm")] public JToken KeyAlgorithmRaw { get; set; }
+    }
+
+    internal sealed class InfisicalCertificatePolicyValidityDto
+    {
+        [JsonProperty("max")] public string Max { get; set; }
+    }
+
+    internal sealed class InfisicalCertificatePolicyListResponseDto
+    {
+        [JsonProperty("certificatePolicies")] public List<InfisicalCertificatePolicyResponseDto> CertificatePolicies { get; set; }
+        [JsonProperty("totalCount")] public int? TotalCount { get; set; }
+    }
+}

src/PSInfisicalAPI/Pki/InfisicalCertificatePolicyMapper.cs

@@ -0,0 +1,138 @@
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using Newtonsoft.Json.Linq;
+using PSInfisicalAPI.Models;
+
+namespace PSInfisicalAPI.Pki
+{
+    internal static class InfisicalCertificatePolicyMapper
+    {
+        public static InfisicalCertificatePolicy Map(InfisicalCertificatePolicyResponseDto dto, string fallbackProjectId)
+        {
+            if (dto == null)
+            {
+                return null;
+            }
+
+            return new InfisicalCertificatePolicy
+            {
+                Id = dto.Id,
+                ProjectId = !string.IsNullOrEmpty(dto.ProjectId) ? dto.ProjectId : fallbackProjectId,
+                Name = dto.Name,
+                Description = dto.Description,
+                Subject = MapSubject(dto.Subject),
+                Sans = MapSans(dto.SansRaw),
+                KeyUsages = MapUsages(dto.KeyUsages),
+                ExtendedKeyUsages = MapUsages(dto.ExtendedKeyUsages),
+                Algorithms = MapAlgorithms(dto.Algorithms),
+                Validity = MapValidity(dto.Validity),
+                CreatedAtUtc = ParseTimestamp(dto.CreatedAt),
+                UpdatedAtUtc = ParseTimestamp(dto.UpdatedAt)
+            };
+        }
+
+        public static InfisicalCertificatePolicy[] MapMany(IEnumerable<InfisicalCertificatePolicyResponseDto> items, string fallbackProjectId)
+        {
+            if (items == null)
+            {
+                return Array.Empty<InfisicalCertificatePolicy>();
+            }
+
+            List<InfisicalCertificatePolicy> results = new List<InfisicalCertificatePolicy>();
+            foreach (InfisicalCertificatePolicyResponseDto dto in items)
+            {
+                InfisicalCertificatePolicy mapped = Map(dto, fallbackProjectId);
+                if (mapped != null)
+                {
+                    results.Add(mapped);
+                }
+            }
+
+            return results.ToArray();
+        }
+
+        private static InfisicalCertificatePolicySubject MapSubject(InfisicalCertificatePolicySubjectDto dto)
+        {
+            if (dto == null) { return null; }
+            return new InfisicalCertificatePolicySubject
+            {
+                Type = dto.Type,
+                Allowed = InfisicalCertificateProfileMapper.FlattenStringOrStringArray(dto.AllowedRaw)
+            };
+        }
+
+        private static InfisicalCertificatePolicySan[] MapSans(JToken token)
+        {
+            if (token == null || token.Type == JTokenType.Null) { return null; }
+
+            List<InfisicalCertificatePolicySan> results = new List<InfisicalCertificatePolicySan>();
+            if (token.Type == JTokenType.Array)
+            {
+                foreach (JToken child in (JArray)token)
+                {
+                    InfisicalCertificatePolicySan mapped = MapSanObject(child);
+                    if (mapped != null) { results.Add(mapped); }
+                }
+            }
+            else if (token.Type == JTokenType.Object)
+            {
+                InfisicalCertificatePolicySan mapped = MapSanObject(token);
+                if (mapped != null) { results.Add(mapped); }
+            }
+
+            return results.Count > 0 ? results.ToArray() : null;
+        }
+
+        private static InfisicalCertificatePolicySan MapSanObject(JToken token)
+        {
+            if (token == null || token.Type != JTokenType.Object) { return null; }
+            InfisicalCertificatePolicySanDto dto = token.ToObject<InfisicalCertificatePolicySanDto>();
+            if (dto == null) { return null; }
+            return new InfisicalCertificatePolicySan
+            {
+                Type = dto.Type,
+                Allowed = InfisicalCertificateProfileMapper.FlattenStringOrStringArray(dto.AllowedRaw),
+                Required = InfisicalCertificateProfileMapper.FlattenStringOrStringArray(dto.RequiredRaw)
+            };
+        }
+
+        private static InfisicalCertificatePolicyUsages MapUsages(InfisicalCertificatePolicyUsagesDto dto)
+        {
+            if (dto == null) { return null; }
+            return new InfisicalCertificatePolicyUsages
+            {
+                Allowed = InfisicalCertificateProfileMapper.FlattenStringOrStringArray(dto.AllowedRaw),
+                Required = InfisicalCertificateProfileMapper.FlattenStringOrStringArray(dto.RequiredRaw)
+            };
+        }
+
+        private static InfisicalCertificatePolicyAlgorithms MapAlgorithms(InfisicalCertificatePolicyAlgorithmsDto dto)
+        {
+            if (dto == null) { return null; }
+            return new InfisicalCertificatePolicyAlgorithms
+            {
+                Signature = dto.Signature,
+                KeyAlgorithms = InfisicalCertificateProfileMapper.FlattenStringOrStringArray(dto.KeyAlgorithmRaw)
+            };
+        }
+
+        private static InfisicalCertificatePolicyValidity MapValidity(InfisicalCertificatePolicyValidityDto dto)
+        {
+            if (dto == null) { return null; }
+            return new InfisicalCertificatePolicyValidity { Max = dto.Max };
+        }
+
+        private static DateTimeOffset? ParseTimestamp(string value)
+        {
+            if (string.IsNullOrEmpty(value)) { return null; }
+            DateTimeOffset parsed;
+            if (DateTimeOffset.TryParse(value, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal | DateTimeStyles.AdjustToUniversal, out parsed))
+            {
+                return parsed;
+            }
+
+            return null;
+        }
+    }
+}

src/PSInfisicalAPI/Pki/InfisicalPkiClient.cs

@@ -427,6 +427,94 @@ namespace PSInfisicalAPI.Pki
             return obj.ToObject<InfisicalCertificateProfileResponseDto>();
         }
 
+        public InfisicalCertificatePolicy[] ListCertificatePolicies(InfisicalConnection connection, string projectId, int? limit, int? offset)
+        {
+            if (connection == null) { throw new ArgumentNullException(nameof(connection)); }
+            string resolvedProjectId = FirstNonEmpty(projectId, connection.ProjectId);
+            if (string.IsNullOrEmpty(resolvedProjectId)) { throw new InfisicalConfigurationException("ProjectId is required."); }
+
+            List<KeyValuePair<string, string>> query = new List<KeyValuePair<string, string>>
+            {
+                new KeyValuePair<string, string>("projectId", resolvedProjectId)
+            };
+            if (limit.HasValue) { query.Add(new KeyValuePair<string, string>("limit", limit.Value.ToString(CultureInfo.InvariantCulture))); }
+            if (offset.HasValue) { query.Add(new KeyValuePair<string, string>("offset", offset.Value.ToString(CultureInfo.InvariantCulture))); }
+
+            try
+            {
+                _logger.Information(Component, "Attempting to list Infisical certificate policies. Please Wait...");
+                InfisicalHttpResponse response = _invoker.InvokeWithCandidateFallback(connection, InfisicalEndpointNames.ListCertificatePolicies, "ListCertificatePolicies", null, query, null);
+                string body = response.Body;
+                response.Clear();
+
+                List<InfisicalCertificatePolicyResponseDto> source = ParseCertificatePolicyListBody(body);
+                InfisicalCertificatePolicy[] mapped = InfisicalCertificatePolicyMapper.MapMany(source, resolvedProjectId);
+                _logger.Information(Component, "Infisical certificate policy list retrieval was successful.");
+                return mapped;
+            }
+            catch (Exception)
+            {
+                _logger.Error(Component, "Infisical certificate policy list retrieval failed.");
+                throw;
+            }
+        }
+
+        public InfisicalCertificatePolicy GetCertificatePolicy(InfisicalConnection connection, string certificatePolicyId, string projectId)
+        {
+            if (connection == null) { throw new ArgumentNullException(nameof(connection)); }
+            if (string.IsNullOrEmpty(certificatePolicyId)) { throw new InfisicalConfigurationException("CertificatePolicyId is required."); }
+
+            Dictionary<string, string> pathParameters = new Dictionary<string, string> { { "certificatePolicyId", certificatePolicyId } };
+            List<KeyValuePair<string, string>> query = null;
+            if (!string.IsNullOrEmpty(projectId))
+            {
+                query = new List<KeyValuePair<string, string>> { new KeyValuePair<string, string>("projectId", projectId) };
+            }
+
+            try
+            {
+                _logger.Information(Component, string.Concat("Attempting to retrieve Infisical certificate policy '", certificatePolicyId, "'. Please Wait..."));
+                InfisicalHttpResponse response = _invoker.InvokeWithCandidateFallback(connection, InfisicalEndpointNames.GetCertificatePolicy, "GetCertificatePolicy", pathParameters, query, null);
+                string body = response.Body;
+                response.Clear();
+
+                InfisicalCertificatePolicyResponseDto inner = ParseCertificatePolicySingleBody(body);
+                string fallbackProjectId = !string.IsNullOrEmpty(projectId) ? projectId : connection.ProjectId;
+                InfisicalCertificatePolicy mapped = InfisicalCertificatePolicyMapper.Map(inner, fallbackProjectId);
+                _logger.Information(Component, "Infisical certificate policy retrieval was successful.");
+                return mapped;
+            }
+            catch (Exception)
+            {
+                _logger.Error(Component, "Infisical certificate policy retrieval failed.");
+                throw;
+            }
+        }
+
+        private List<InfisicalCertificatePolicyResponseDto> ParseCertificatePolicyListBody(string body)
+        {
+            if (string.IsNullOrEmpty(body)) { return null; }
+            JToken token = JToken.Parse(body);
+            if (token.Type == JTokenType.Array)
+            {
+                return token.ToObject<List<InfisicalCertificatePolicyResponseDto>>();
+            }
+
+            InfisicalCertificatePolicyListResponseDto wrapper = token.ToObject<InfisicalCertificatePolicyListResponseDto>();
+            return wrapper != null ? wrapper.CertificatePolicies : null;
+        }
+
+        private InfisicalCertificatePolicyResponseDto ParseCertificatePolicySingleBody(string body)
+        {
+            if (string.IsNullOrEmpty(body)) { return null; }
+            JToken token = JToken.Parse(body);
+            if (token.Type != JTokenType.Object) { return null; }
+            JObject obj = (JObject)token;
+
+            if (obj["certificatePolicy"] is JObject inner) { return inner.ToObject<InfisicalCertificatePolicyResponseDto>(); }
+            return obj.ToObject<InfisicalCertificatePolicyResponseDto>();
+        }
+
         public InfisicalCertificateBundle GetCertificateBundle(InfisicalConnection connection, string serialNumber)
         {
             if (connection == null) { throw new ArgumentNullException(nameof(connection)); }