January 30, 2018 By Carmel Schindelhaim
Vinit Jain
3 min read

Deploy custom domain TLS Certificates

We are excited to announce that IBM Cloud Container Service is now integrated with IBM Cloud Certificate Manager! This means that you can easily and securely deploy custom domain TLS certificates from Certificate Manager to your Kubernetes Cluster.

Developers deploy their apps on IBM Cloud Container Service and make them securely accessible through the Ingress Controller. The Ingress Controller uses a pre-installed certificate that protects the default IBM provided domain assigned to your app. However, if you would like to use a custom domain for your app, such as mybank.com, you will need to obtain your own custom domain TLS certificate for that domain, install it in your cluster, and configure your Ingress Controller to use it.

When you have your own TLS certificate, you need to manage it so that your apps will continuously be secured with HTTPS. Certificates are only valid for a period of time, so you need to remember to renew them on time to avoid service disruptions. Private keys associated with certificates need to be protected because stolen keys can mean compromised customer and business data. So you’ll need a secure place to store your certificates, with proper access controls and an audit trail, and a way to monitor their expiration. IBM Cloud Certificate Manager provides these capabilities.

The IBM Cloud Container Services is now integrated with IBM Cloud Certificate Manager so that you can securely deploy a TLS certificate that you manage in Certificate Manager to your cluster. Cluster admins can use the Container Service CLI to import and update TLS certificates as Kubernetes Secrets, specifying the id of the certificate they want to use (CRN). Container Service also reports back to Certificate Manager the id of the Kubernetes cluster where the certificate was installed. Developers can then configure the ingress controller to use these secrets to secure apps with TLS. The update command also allows them to update an existing Kubernetes secret with a renewed certificate without causing downtime.

bx cs alb-cert-deploy [--update] --cluster CLUSTER --secret-name SECRET_NAME --cert-crn CERTIFICATE_CRN

We also designed the integrated experience to help you minimize the exposure of your private keys to users. When developers deploy applications, they can create ingress resources that use the secrets containing the certificates and their associated private keys without being able to read the content of the secrets (the private keys) themselves. This works by letting developers use reference secrets that do not contain the private keys. At runtime, the ingress controller can securely access the secrets and keys to do SSL termination.

To learn more, check out the documentation of Container Service here. Read more about IBM Cloud Certificate Manager here.

More from Security

Authentication vs. authorization: What’s the difference?

6 min read - Authentication and authorization are related but distinct processes in an organization’s identity and access management (IAM) system. Authentication verifies a user’s identity. Authorization gives the user the right level of access to system resources.  The authentication process relies on credentials, such as passwords or fingerprint scans, that users present to prove they are who they claim to be.  The authorization process relies on user permissions that outline what each user can do within a particular resource or network. For example,…

Top 7 risks to your identity security posture

5 min read - Detecting and remediating identity misconfigurations and blind spots is critical to an organization’s identity security posture especially as identity has become the new perimeter and a key pillar of an identity fabric. Let’s explore what identity blind spots and misconfigurations are, detail why finding them is essential, and lay out the top seven to avoid. What are the most critical risks to identity security? Identity misconfigurations and identity blind spots stand out as critical concerns that undermine an organization’s identity…

Intesa Sanpaolo and IBM secure digital transactions with fully homomorphic encryption

6 min read - This blog was made possible thanks to contributions from Nicola Bertoli, Sandra Grazia Tedesco, Alessio Di Michelangeli, Omri Soceanu, Akram Bitar, Allon Adir, Salvatore Sollami and Liam Chambers. Intesa Sanpaolo is one of the most trusted and profitable European banks. It offers commercial banking, corporate investment banking, asset management and insurance services. It is the leading bank in Italy with approximately 12 million customers served through its digital and traditional channels. The Cybersecurity Lab of Intesa Sanpaolo (ISP) needed to…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters