Share this post:
Even the most successful or genius apps can fail if there are issues with availability. While development teams often engineer for availability, with lots of redundancy, health checks, and load balancing, sometimes outages occur because of simple human errors. One common error is that teams fail to renew SSL/TLS certificates on time.
SSL/TLS certificates are used to secure communication between two services, or between clients and your servers. SSL/TLS help ensure that information is sent between trusted entities by authenticating the server (and sometimes the client through mutual authentication). Then, traffic is encrypted before it is sent over the network, and only the trusted server can decrypt the traffic. This way sensitive data is protected from malicious entities who may intercept the traffic.
For security reasons, SSL/TLS certificates, are issued for only a set period of time (typically between 90 days and 1 year), and then have to be renewed. Once certificates are obtained, they are typically deployed in various locations that receive traffic for your apps, such as load balancers, and CDN services. Or for internal communication, developers generate self signed certificates, or certificates signed by internal PKI, and deploy these to various internal endpoints. What happens is that teams very often fail to keep track of where certificates are deployed and when they will expire, and then they experience outages, at a high cost.
To help address this issue, we have added notifications on expiring certificates as a new capability to IBM Cloud Certificate Manager. When you upload your third party certificates to Certificate Manager, and add a Slack web-hook for your Slack channel, Certificate Manager will send you Slack notifications at 90, 60, 30, 10, 1 days before your certificates expire. Certificate Manager will also send you notifications once your certificates expire, in case you didn’t remember to renew.
More broadly, Certificate Manager provides you with a secure repository for your SSL/TLS certificates and their associated private keys. Certificate Manager encrypts the certificates and keys, and uses key management best practices. You can configure access policies on specific certificates using IBM Cloud IAM capabilities, and actions performed on certificates and keys uploaded to Certificate Manager can be audited in IBM Cloud Activity Tracker. You can record additional metadata about certificates, such as where they should be deployed. Also, you can use the IBM Cloud Kubernetes CLI to securely deploy certificates to Kubernetes, or use Certificate Manager APIs to automate deployment to other endpoints.
Certificate Manager is available in US-South and is in Beta. Read docs here.
You can get help for technical questions at Stack Overflow, with the ‘ibm-certificate-manager’ tag, or for non technical questions at IBM developerworks with the ‘ibm-certificate-manager’ tag. For defect or support needs, use the support section in the IBM Cloud menu. We would love to hear your feedback!
To get started with Certificate Manager, check it out In the IBM Cloud catalog!