IBM Cloud Certificate Manager lets you order free, domain-validated certificates signed by Let’s Encrypt—an automated, ACME-protocol-based Certificate Authority (CA) that issues free certificates that are valid for 90 days. Certificate Manager also helps you manage the lifecycle of your certificates and keep them secure.
How it works
When you order a certificate, you need to validate that you control the domains, which usually requires a lot of manual back and forth with your Certificate Authority. Let’s Encrypt automates certificate ordering through domain validation challenges.
When you request a certificate from Let’s Encrypt, it sends you a DNS TXT record challenge to enter into your DNS provider, under the domain you requested, which you can do by calling your DNS provider APIs. Then, Let’s Encrypt queries your DNS for that record. If there was a match, Let’s Encrypt issues a certificate to you.
We integrated Certificate Manager and IBM Cloud Internet Services (CIS) to do this work for you. Certificate Manager will interact with CIS to update TXT records. All you do is set up an access policy through IBM Cloud IAM to allow your Certificate Manager instance to access your CIS instance.
Other benefits of using Certificate Manager
Ordering a certificate through Certificate Manager has several more advantages:
Security: When you request a certificate, the key pair for your certificate is generated within Certificate Manager, where the keys are stored as encrypted. Actions performed on the certificate—including the order itself—and requests to download the certificate and private key are logged automatically to IBM Cloud Activity Tracker with LogDNA for audit purposes. If you want to limit access to individual certificates and keys, you can give access to users or services at the certificate level.
Lifecycle management: Certificate Manager also helps you manage the lifecycle of your TLS certificates. Get notified before your certificates expire and then renew them with the click of a button. Certificate Manager also sends you lifecycle notifications for events like a certificate issued or renewed, which you can use to trigger automated deployment processes (e.g., Configuring your Kubernetes ingress controller or CIS to use this certificate).
How to order a certificate
When your domains are registered as zones in CIS, go to Cloud IAM to set an access policy for Certificate Manager and CIS. Give Certificate Manager a Reader service access role for your CIS instance, and give Certificate Manager a Manager service access role for the relevant domains in CIS. Then, go to Certificate Manager and click Order. Fill out the certificate order form for CIS users. You should get a certificate issued to you within minutes.
For technical questions, go to Stack Overflow and use the ‘ibm-certificate-manager’ tag.
For non-technical questions, go to IBM developerworks with the ‘ibm-certificate-manager’ tag.
For questions or support needs on CIS or Certificate Manager, use the support section in the IBM Cloud menu.
Other uses for Cloud Internet Services
IBM Cloud Internet Services (CIS) provides you with a wide array of capabilities that can be leveraged at the network edge and easily deployed globally through Cloudflare’s 180+ Global Points of Presence (PoPs), providing you with the most comprehensive solution on the IBM Cloud to protect and optimize your Internet-facing applications, websites, and services. Improve your application and/or website reliability by registering your domains in our Domain Name Server (DNS) for fast resolution of hostnames to their corresponding IP addresses or aliases.