Announcements
Cloud
Security
April 26, 2022 By Crystal Barragan
Janet Van
Pratheek Karnati
4 min read

Set up a private certificate authority that can issue TLS certificates to your applications.

In a previous article, we shared how IBM Cloud Secrets Manager can help you to order public SSL/TLS certificates from Let’s Encrypt™ and manage them centrally in a single location, along with the rest of your application secrets. Today, we’re excited to announce that you can now configure and manage your own private certificate authorities with Secrets Manager, all while taking advantage of a powerful, single-tenant environment that provides data isolation and can scale to your needs. 

What is a certificate authority?

A certificate authority (commonly known as a CA) is an entity or third-party company that issues digital certificates. With these digital certificates, you’re able to create trusted and secure TLS connections between services and applications. 

To obtain a TLS certificate, you use either a public or private CA. A public CA is a trusted third-party entity, such as Let’s Encrypt or DigiCert®, that can provide domain-validated certificates. Before a certificate from a public CA can be issued to you, the CA uses a supported validation method, such as domain validation, to verify that you own the domains that are listed as part of your certificate request. In contrast to public CAs, private CAs are privately owned entities that are controlled by your team or business. A private CA is used for internal use cases only, so the scope of its issued certificates is limited to specific applications, services and people within an organization. 

Benefits of private CAs

Private CAs offer better control and flexibility over the issuance of certificates to services, servers and individuals or users on your team. Certificates are issued from a custom CA that you own and manage, so the issued certificates are inherently trusted by participating entities. And, you eliminate the need to mark your trusted certificates manually. You’re able to focus on automating many of the tasks around certificates management, including the ability to rotate certificates before they expire, revoke them if they’re no longer needed and more.

By setting up a private CA, you’re also able to easily extend your certificate issuance scenarios to cover many other use cases around creating trusted environments within your organization. In addition to using a private CA to issue certificates for internal services, you can extend your public-key infrastructure (PKI) certifications to include more scenarios for your business, such as the following:

  • Securing VPN connections
  • Issuing certificates to mobile devices — whether they’re company-owned or part of BYOD program
  • Email encryption and document signing
  • Code signing in DevOps workflows

Private CAs with IBM Cloud Secrets Manager

With Secrets Manager, you can manage a private CA that can scale to your needs, all while maintaining security and compliance with less effort and cost. Your issued certificates and their private keys are stored securely in a dedicated Secrets Manager service instance, where you can centrally manage their lifecycle.

You can create up to 10 root CAs and 10 intermediate CAs in a Secrets Manager service instance with multiple branches and hierarchies. For example, a simple CA hierarchy within a Secrets Manager instance might resemble the following diagram, where the leaf certificates are the private certificates that you can deploy to an application:

Features

  • Create certificate authorities for your instance: Configure root and intermediate CAs to establish a chain of trust for private certificates to your end-entity applications. 
  • Create and automatically renew certificates: Create private certificates for your apps on-demand and enable automatic rotation so that your certificates never expire.
  • Enable lifecycle notifications for your certificates: Connect your instance to IBM Cloud Event Notifications so that you’re alerted any time that your certificates are rotated, about to expire and more.
  • Define access with secret groups: Assign granular access to a group of certificates so that you can control who on your team, or which service ID, has access to them. 
  • Protect your certificates at rest: Manage encryption with a root key in IBM Key Protect or IBM Cloud Hyper Protect Crypto Services to enhance the security of your stored certificates and their private keys.
  • Monitor and audit activity: Track how users and applications interact with secrets in your instance by using IBM Cloud Activity Tracker.

Ready to get started?

Start by provisioning a Secrets Manager service instance in the IBM Cloud console. Because a dedicated instance of the service is provisioned, it can take a few minutes. While you wait, you can continue to work elsewhere on IBM Cloud, or you might consider learning more about designing a certificate authority hierarchy.

If you’re working from an existing instance, you can go to Secrets engines > Private certificates to prepare your instance for creating private certificates. 

  1. Create a root certificate authority to serve as a trust anchor for your chain of certificates:
  2. Create an intermediate certificate authority that can be used to issue certificates:
  3. Add a certificate template to control the parameters to apply to your certificates.
  4. Create a private certificate that you can deploy to your client or server application.

Questions? Contact us

We’d love to hear from you. To send feedback, you can open a GitHub issue from a link at the bottom of any page in the documentation, open a support ticket or reach out directly through email. 

If you’ve made it this far and have more questions about Secrets Manager, we’ve got you! Check out our introductory blog on Secrets Manager or take a look at the FAQs

Crystal Barragan
Technical Writer, Cloud Security Services
Janet Van
Product Manager, Cloud Security and Compliance
Pratheek Karnati
Architect, Cloud Security Services

More from Announcements
May 6, 2024

IBM and MuleSoft expand global relationship to accelerate modernization on IBM Power 

2 min read - As companies undergo digital transformation, they rely on APIs as the backbone for providing new services and customer experiences. While APIs can simplify application development and deliver integrated solutions, IT shops must have a robust solution to effectively manage and govern them to ensure that response times and costs are kept low for all applications. Many customers use Salesforce’s MuleSoft, named a leader by Gartner® in full lifecycle API management for seven consecutive times, to manage and secure APIs across…

April 19, 2024

IBM Consulting augments expertise with AWS Competencies: A win-win for clients 

3 min read - In today's dynamic economic landscape, businesses demand continuous innovation and speed of execution. At IBM Consulting®, our unwavering focus on partnerships and shared commitment to delivering enterprise-level solutions to mutual clients have been core to our success.   We are thrilled to announce that IBM® has recently gained five competencies from Amazon Web Services (AWS) in vital domains including Cloud Operations, Internet of Things (IoT), Life Sciences, Mainframe Modernization, and Telecommunications. With these credentials, IBM further establishes its position as a…

April 18, 2024

Probable Root Cause: Accelerating incident remediation with causal AI 

5 min read - It has been proven time and time again that a business application’s outages are very costly. The estimated cost of an average downtime can run USD 50,000 to 500,000 per hour, and more as businesses are actively moving to digitization. The complexity of applications is growing as well, so Site Reliability Engineers (SREs) require hours—and sometimes days—to identify and resolve problems.   To alleviate this problem, we have introduced the new feature Probable Root Cause as part of Intelligent Incident…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters