Security

Certificate Manager now Sends you Notifications before your Certificates Expire

Share this post:

Even the most successful or genius apps can fail if there are issues with availability. While development teams often engineer for availability, with lots of redundancy, health checks, and load balancing, sometimes outages occur because of simple human errors. One common error is that teams fail to renew SSL/TLS certificates on time.

SSL/TLS certificates are used to secure communication between two services, or between clients and your servers. SSL/TLS help ensure that information is sent between trusted entities by authenticating the server (and sometimes the client through mutual authentication). Then, traffic is encrypted before it is sent over the network, and only the trusted server can decrypt the traffic. This way sensitive data is protected from malicious entities who may intercept the traffic.

For security reasons, SSL/TLS certificates, are issued for only a set period of time (typically between 90 days and 1 year), and then have to be renewed. Once certificates are obtained, they are typically deployed in various locations that receive traffic for your apps, such as load balancers, and CDN services. Or for internal communication, developers generate self signed certificates, or certificates signed by internal PKI, and deploy these to various internal endpoints. What happens is that teams very often fail to keep track of where certificates are deployed and when they will expire, and then they experience outages, at a high cost.

To help address this issue, we have added notifications on expiring certificates as a new capability to IBM Cloud Certificate Manager. When you upload your third party certificates to Certificate Manager, and add a Slack web-hook for your Slack channel, Certificate Manager will send you Slack notifications at 90, 60, 30, 10, 1 days before your certificates expire. Certificate Manager will also send you notifications once your certificates expire, in case you didn’t remember to renew.

More broadly, Certificate Manager provides you with a secure repository for your SSL/TLS certificates and their associated private keys. Certificate Manager encrypts the certificates and keys, and uses key management best practices. You can configure access policies on specific certificates using IBM Cloud IAM capabilities, and actions performed on certificates and keys uploaded to Certificate Manager can be audited in IBM Cloud Activity Tracker. You can record additional metadata about certificates, such as where they should be deployed. Also, you can use the IBM Cloud Kubernetes CLI to securely deploy certificates to Kubernetes, or use Certificate Manager APIs to automate deployment to other endpoints.

Certificate Manager is available in US-South and is in Beta. Read docs here.

You can get help for technical questions at Stack Overflow, with the ‘ibm-certificate-manager’ tag, or for non technical questions at IBM developerworks with the ‘ibm-certificate-manager’ tag. For defect or support needs, use the support section in the IBM Cloud menu. We would love to hear your feedback!

To get started with Certificate Manager, check it out In the IBM Cloud catalog!

Offering Manager - Cloud Developer Services - Security

More Security stories
August 16, 2018

IBM Cloud Takes Action to Address Latest Security Vulnerabilities

IBM Cloud is taking precautionary measures on behalf of our clients to address potential security vulnerabilities made public on August 14, 2018. We recommend that all clients should back up all data from their virtual server instances.

Continue reading

August 14, 2018

How to Use Certificate Manager to Avoid Outages Using Callback URLs

Midnight Page Duty incidents are no fun. Now, IBM Cloud Certificate Manager can notify you in advance when your certificates are about to expire, helping you avoid downtime in your app.

Continue reading

August 1, 2018

New in App ID: More Ways to Authenticate Users in Your Apps

New capabilities have recently been launched in IBM Cloud App ID so you can give users more ways to sign up and sign in and enrich user profiles further.

Continue reading