Set up a private certificate authority that can issue TLS certificates to your applications.

In a previous article, we shared how IBM Cloud Secrets Manager can help you to order public SSL/TLS certificates from Let’s Encrypt™ and manage them centrally in a single location, along with the rest of your application secrets. Today, we’re excited to announce that you can now configure and manage your own private certificate authorities with Secrets Manager, all while taking advantage of a powerful, single-tenant environment that provides data isolation and can scale to your needs. 

What is a certificate authority?

A certificate authority (commonly known as a CA) is an entity or third-party company that issues digital certificates. With these digital certificates, you’re able to create trusted and secure TLS connections between services and applications. 

To obtain a TLS certificate, you use either a public or private CA. A public CA is a trusted third-party entity, such as Let’s Encrypt or DigiCert®, that can provide domain-validated certificates. Before a certificate from a public CA can be issued to you, the CA uses a supported validation method, such as domain validation, to verify that you own the domains that are listed as part of your certificate request. In contrast to public CAs, private CAs are privately owned entities that are controlled by your team or business. A private CA is used for internal use cases only, so the scope of its issued certificates is limited to specific applications, services and people within an organization. 

Benefits of private CAs

Private CAs offer better control and flexibility over the issuance of certificates to services, servers and individuals or users on your team. Certificates are issued from a custom CA that you own and manage, so the issued certificates are inherently trusted by participating entities. And, you eliminate the need to mark your trusted certificates manually. You’re able to focus on automating many of the tasks around certificates management, including the ability to rotate certificates before they expire, revoke them if they’re no longer needed and more.

By setting up a private CA, you’re also able to easily extend your certificate issuance scenarios to cover many other use cases around creating trusted environments within your organization. In addition to using a private CA to issue certificates for internal services, you can extend your public-key infrastructure (PKI) certifications to include more scenarios for your business, such as the following:

• Securing VPN connections
• Issuing certificates to mobile devices — whether they’re company-owned or part of BYOD program
• Email encryption and document signing
• Code signing in DevOps workflows

Private CAs with IBM Cloud Secrets Manager

With Secrets Manager, you can manage a private CA that can scale to your needs, all while maintaining security and compliance with less effort and cost. Your issued certificates and their private keys are stored securely in a dedicated Secrets Manager service instance, where you can centrally manage their lifecycle.

You can create up to 10 root CAs and 10 intermediate CAs in a Secrets Manager service instance with multiple branches and hierarchies. For example, a simple CA hierarchy within a Secrets Manager instance might resemble the following diagram, where the leaf certificates are the private certificates that you can deploy to an application:

Features

• Create certificate authorities for your instance: Configure root and intermediate CAs to establish a chain of trust for private certificates to your end-entity applications. 
• Create and automatically renew certificates: Create private certificates for your apps on-demand and enable automatic rotation so that your certificates never expire.
• Enable lifecycle notifications for your certificates: Connect your instance to IBM Cloud Event Notifications so that you’re alerted any time that your certificates are rotated, about to expire and more.
• Define access with secret groups: Assign granular access to a group of certificates so that you can control who on your team, or which service ID, has access to them. 
• Protect your certificates at rest: Manage encryption with a root key in IBM Key Protect or IBM Cloud Hyper Protect Crypto Services to enhance the security of your stored certificates and their private keys.
• Monitor and audit activity: Track how users and applications interact with secrets in your instance by using IBM Cloud Activity Tracker.

Ready to get started?

Start by provisioning a Secrets Manager service instance in the IBM Cloud console. Because a dedicated instance of the service is provisioned, it can take a few minutes. While you wait, you can continue to work elsewhere on IBM Cloud, or you might consider learning more about designing a certificate authority hierarchy.

If you’re working from an existing instance, you can go to Secrets engines > Private certificates to prepare your instance for creating private certificates. 

1. Create a root certificate authority to serve as a trust anchor for your chain of certificates:

2. Create an intermediate certificate authority that can be used to issue certificates:

3. Add a certificate template to control the parameters to apply to your certificates.
4. Create a private certificate that you can deploy to your client or server application.

Questions? Contact us

We’d love to hear from you. To send feedback, you can open a GitHub issue from a link at the bottom of any page in the documentation, open a support ticket or reach out directly through email. 

If you’ve made it this far and have more questions about Secrets Manager, we’ve got you! Check out our introductory blog on Secrets Manager or take a look at the FAQs.