Set up a private certificate authority that can issue TLS certificates to your applications.

In a previous article, we shared how IBM Cloud Secrets Manager can help you to order public SSL/TLS certificates from Let’s Encrypt™ and manage them centrally in a single location, along with the rest of your application secrets. Today, we’re excited to announce that you can now configure and manage your own private certificate authorities with Secrets Manager, all while taking advantage of a powerful, single-tenant environment that provides data isolation and can scale to your needs. 

What is a certificate authority?

A certificate authority (commonly known as a CA) is an entity or third-party company that issues digital certificates. With these digital certificates, you’re able to create trusted and secure TLS connections between services and applications. 

To obtain a TLS certificate, you use either a public or private CA. A public CA is a trusted third-party entity, such as Let’s Encrypt or DigiCert®, that can provide domain-validated certificates. Before a certificate from a public CA can be issued to you, the CA uses a supported validation method, such as domain validation, to verify that you own the domains that are listed as part of your certificate request. In contrast to public CAs, private CAs are privately owned entities that are controlled by your team or business. A private CA is used for internal use cases only, so the scope of its issued certificates is limited to specific applications, services and people within an organization. 

Benefits of private CAs

Private CAs offer better control and flexibility over the issuance of certificates to services, servers and individuals or users on your team. Certificates are issued from a custom CA that you own and manage, so the issued certificates are inherently trusted by participating entities. And, you eliminate the need to mark your trusted certificates manually. You’re able to focus on automating many of the tasks around certificates management, including the ability to rotate certificates before they expire, revoke them if they’re no longer needed and more.

By setting up a private CA, you’re also able to easily extend your certificate issuance scenarios to cover many other use cases around creating trusted environments within your organization. In addition to using a private CA to issue certificates for internal services, you can extend your public-key infrastructure (PKI) certifications to include more scenarios for your business, such as the following:

  • Securing VPN connections
  • Issuing certificates to mobile devices — whether they’re company-owned or part of BYOD program
  • Email encryption and document signing
  • Code signing in DevOps workflows

Private CAs with IBM Cloud Secrets Manager

With Secrets Manager, you can manage a private CA that can scale to your needs, all while maintaining security and compliance with less effort and cost. Your issued certificates and their private keys are stored securely in a dedicated Secrets Manager service instance, where you can centrally manage their lifecycle.

You can create up to 10 root CAs and 10 intermediate CAs in a Secrets Manager service instance with multiple branches and hierarchies. For example, a simple CA hierarchy within a Secrets Manager instance might resemble the following diagram, where the leaf certificates are the private certificates that you can deploy to an application:


  • Create certificate authorities for your instance: Configure root and intermediate CAs to establish a chain of trust for private certificates to your end-entity applications. 
  • Create and automatically renew certificates: Create private certificates for your apps on-demand and enable automatic rotation so that your certificates never expire.
  • Enable lifecycle notifications for your certificates: Connect your instance to IBM Cloud Event Notifications so that you’re alerted any time that your certificates are rotated, about to expire and more.
  • Define access with secret groups: Assign granular access to a group of certificates so that you can control who on your team, or which service ID, has access to them. 
  • Protect your certificates at rest: Manage encryption with a root key in IBM Key Protect or IBM Cloud Hyper Protect Crypto Services to enhance the security of your stored certificates and their private keys.
  • Monitor and audit activity: Track how users and applications interact with secrets in your instance by using IBM Cloud Activity Tracker.

Ready to get started?

Start by provisioning a Secrets Manager service instance in the IBM Cloud console. Because a dedicated instance of the service is provisioned, it can take a few minutes. While you wait, you can continue to work elsewhere on IBM Cloud, or you might consider learning more about designing a certificate authority hierarchy.

If you’re working from an existing instance, you can go to Secrets engines > Private certificates to prepare your instance for creating private certificates. 

  1. Create a root certificate authority to serve as a trust anchor for your chain of certificates:
  2. Create an intermediate certificate authority that can be used to issue certificates:
  3. Add a certificate template to control the parameters to apply to your certificates.
  4. Create a private certificate that you can deploy to your client or server application.

Questions? Contact us

We’d love to hear from you. To send feedback, you can open a GitHub issue from a link at the bottom of any page in the documentation, open a support ticket or reach out directly through email. 

If you’ve made it this far and have more questions about Secrets Manager, we’ve got you! Check out our introductory blog on Secrets Manager or take a look at the FAQs


More from Announcements

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…