Set up a private certificate authority that can issue TLS certificates to your applications.

In a previous article, we shared how IBM Cloud Secrets Manager can help you to order public SSL/TLS certificates from Let’s Encrypt™ and manage them centrally in a single location, along with the rest of your application secrets. Today, we’re excited to announce that you can now configure and manage your own private certificate authorities with Secrets Manager, all while taking advantage of a powerful, single-tenant environment that provides data isolation and can scale to your needs. 

What is a certificate authority?

A certificate authority (commonly known as a CA) is an entity or third-party company that issues digital certificates. With these digital certificates, you’re able to create trusted and secure TLS connections between services and applications. 

To obtain a TLS certificate, you use either a public or private CA. A public CA is a trusted third-party entity, such as Let’s Encrypt or DigiCert®, that can provide domain-validated certificates. Before a certificate from a public CA can be issued to you, the CA uses a supported validation method, such as domain validation, to verify that you own the domains that are listed as part of your certificate request. In contrast to public CAs, private CAs are privately owned entities that are controlled by your team or business. A private CA is used for internal use cases only, so the scope of its issued certificates is limited to specific applications, services and people within an organization. 

Benefits of private CAs

Private CAs offer better control and flexibility over the issuance of certificates to services, servers and individuals or users on your team. Certificates are issued from a custom CA that you own and manage, so the issued certificates are inherently trusted by participating entities. And, you eliminate the need to mark your trusted certificates manually. You’re able to focus on automating many of the tasks around certificates management, including the ability to rotate certificates before they expire, revoke them if they’re no longer needed and more.

By setting up a private CA, you’re also able to easily extend your certificate issuance scenarios to cover many other use cases around creating trusted environments within your organization. In addition to using a private CA to issue certificates for internal services, you can extend your public-key infrastructure (PKI) certifications to include more scenarios for your business, such as the following:

  • Securing VPN connections
  • Issuing certificates to mobile devices — whether they’re company-owned or part of BYOD program
  • Email encryption and document signing
  • Code signing in DevOps workflows

Private CAs with IBM Cloud Secrets Manager

With Secrets Manager, you can manage a private CA that can scale to your needs, all while maintaining security and compliance with less effort and cost. Your issued certificates and their private keys are stored securely in a dedicated Secrets Manager service instance, where you can centrally manage their lifecycle.

You can create up to 10 root CAs and 10 intermediate CAs in a Secrets Manager service instance with multiple branches and hierarchies. For example, a simple CA hierarchy within a Secrets Manager instance might resemble the following diagram, where the leaf certificates are the private certificates that you can deploy to an application:


  • Create certificate authorities for your instance: Configure root and intermediate CAs to establish a chain of trust for private certificates to your end-entity applications. 
  • Create and automatically renew certificates: Create private certificates for your apps on-demand and enable automatic rotation so that your certificates never expire.
  • Enable lifecycle notifications for your certificates: Connect your instance to IBM Cloud Event Notifications so that you’re alerted any time that your certificates are rotated, about to expire and more.
  • Define access with secret groups: Assign granular access to a group of certificates so that you can control who on your team, or which service ID, has access to them. 
  • Protect your certificates at rest: Manage encryption with a root key in IBM Key Protect or IBM Cloud Hyper Protect Crypto Services to enhance the security of your stored certificates and their private keys.
  • Monitor and audit activity: Track how users and applications interact with secrets in your instance by using IBM Cloud Activity Tracker.

Ready to get started?

Start by provisioning a Secrets Manager service instance in the IBM Cloud console. Because a dedicated instance of the service is provisioned, it can take a few minutes. While you wait, you can continue to work elsewhere on IBM Cloud, or you might consider learning more about designing a certificate authority hierarchy.

If you’re working from an existing instance, you can go to Secrets engines > Private certificates to prepare your instance for creating private certificates. 

  1. Create a root certificate authority to serve as a trust anchor for your chain of certificates:
  2. Create an intermediate certificate authority that can be used to issue certificates:
  3. Add a certificate template to control the parameters to apply to your certificates.
  4. Create a private certificate that you can deploy to your client or server application.

Questions? Contact us

We’d love to hear from you. To send feedback, you can open a GitHub issue from a link at the bottom of any page in the documentation, open a support ticket or reach out directly through email. 

If you’ve made it this far and have more questions about Secrets Manager, we’ve got you! Check out our introductory blog on Secrets Manager or take a look at the FAQs

More from Announcements

IBM and SAP unlock business and industry value with new generative AI solutions 

3 min read - IBM Consulting is delivering on our commitment to co-innovate with SAP and collaborate with our clients. As part of our Value Generation Partnership initiative announced earlier this month with SAP, we are releasing the first 10 of 100 planned AI solutions to help clients transform their industries, optimize their business processes and successfully deliver their SAP programs.  Delivering AI business and industry innovation at scale  With the recently announced Value Generation Partnership initiative, IBM and SAP are co-innovating intelligent industry…

IBM SevOne 7.0: Reaching application-centric multicloud network observability  

2 min read - As enterprises increasingly rely on network connectivity to support cloud-based applications and remote workers, network managers require new methods to monitor and safeguard connectivity across diverse environments, including corporate networks, software-defined WANs and multiple public cloud providers.   According to the recent EMA Network Megatrends Report, responding network professionals believe that 53% of network outages and performance issues could be prevented with improved network management tools, yet only 9% find it very easy to hire skilled networking personnel. This is why…

IBM Hybrid Cloud Mesh and Red Hat Service Interconnect: A new era of app-centric connectivity 

2 min read - To meet customer demands, applications are expected to be performing at their best at all times. Simultaneously, applications need to be flexible and cost effective, and therefore supported by an underlying infrastructure that is equally reliant, performant and secure as the applications themselves.   Easier said than done. According to EMA's 2024 Network Management Megatrends report only 42% of responding IT professionals would rate their network operations as successful.   In this era of hyper-distributed infrastructure where our users, apps, and data…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters