Security

Certificate Manager now Sends you Notifications before your Certificates Expire

Share this post:

Even the most successful or genius apps can fail if there are issues with availability. While development teams often engineer for availability, with lots of redundancy, health checks, and load balancing, sometimes outages occur because of simple human errors. One common error is that teams fail to renew SSL/TLS certificates on time.

SSL/TLS certificates are used to secure communication between two services, or between clients and your servers. SSL/TLS help ensure that information is sent between trusted entities by authenticating the server (and sometimes the client through mutual authentication). Then, traffic is encrypted before it is sent over the network, and only the trusted server can decrypt the traffic. This way sensitive data is protected from malicious entities who may intercept the traffic.

For security reasons, SSL/TLS certificates, are issued for only a set period of time (typically between 90 days and 1 year), and then have to be renewed. Once certificates are obtained, they are typically deployed in various locations that receive traffic for your apps, such as load balancers, and CDN services. Or for internal communication, developers generate self signed certificates, or certificates signed by internal PKI, and deploy these to various internal endpoints. What happens is that teams very often fail to keep track of where certificates are deployed and when they will expire, and then they experience outages, at a high cost.

To help address this issue, we have added notifications on expiring certificates as a new capability to IBM Cloud Certificate Manager. When you upload your third party certificates to Certificate Manager, and add a Slack web-hook for your Slack channel, Certificate Manager will send you Slack notifications at 90, 60, 30, 10, 1 days before your certificates expire. Certificate Manager will also send you notifications once your certificates expire, in case you didn’t remember to renew.

More broadly, Certificate Manager provides you with a secure repository for your SSL/TLS certificates and their associated private keys. Certificate Manager encrypts the certificates and keys, and uses key management best practices. You can configure access policies on specific certificates using IBM Cloud IAM capabilities, and actions performed on certificates and keys uploaded to Certificate Manager can be audited in IBM Cloud Activity Tracker. You can record additional metadata about certificates, such as where they should be deployed. Also, you can use the IBM Cloud Kubernetes CLI to securely deploy certificates to Kubernetes, or use Certificate Manager APIs to automate deployment to other endpoints.

Certificate Manager is available in US-South and is in Beta. Read docs here.

You can get help for technical questions at Stack Overflow, with the ‘ibm-certificate-manager’ tag, or for non technical questions at IBM developerworks with the ‘ibm-certificate-manager’ tag. For defect or support needs, use the support section in the IBM Cloud menu. We would love to hear your feedback!

To get started with Certificate Manager, check it out In the IBM Cloud catalog!

More Security stories

IBM Cloud Platform now adds support for Multi-Factor Authentication

In April 2018, IBM Cloud Platform added support for Multi-Factor Authentication (MFA). This adds an extra layer of security to users’ accounts by requiring all users to provide a time-based one-time passcode in addition to their standard IBMid and password when logging in. Having this option enables IT admins to rest a little easier knowing that they’re protecting their company’s network and workloads while keeping access flexible and easy.

Continue reading

Cloning an App ID instance configuration

With App ID, you can now manage your service instance with an API!

Continue reading

Securing Angular+Node.js Applications using App ID

One of the most common architectures of modern applications is Single Page Applications (SPAs), where a single HTML page interacts with a backend application via JavaScript to dynamically generate its content. In this blog, we look at how a single page application can integrate authentication and authorization via IBM Cloud App ID.

Continue reading