Now Available: Order Domain-Validated TLS Certificates with Single-Tenant IBM Cloud Secrets Manager

2 min read

We're excited to announce that you can now use IBM Cloud Secrets Manager to order and centrally manage domain-validated TLS certificates from Let's Encrypt.

In a previous article, we shared how IBM Cloud Secrets Manager made it easier to manage all of your application secrets — including TLS certificates — in a single place. Today, we're excited to announce that you can now request TLS certificates from your trusted certificate authorities, while taking advantage of a powerful, single-tenant environment that provides data isolation and can scale to your needs. 

Automate your TLS certificates management

Critical in protecting your domains is being able to reliably generate and retrieve your encrypted certificates from a trusted certificate authority. In addition to the ability to import certificates and manage them, you can now directly order certificates from your own Let's Encrypt account without having to leave Secrets Manager. Simply connect your account and tell us what you need; we'll take it from there.


  • Connect to supported CAs and DNS providers: Enable connections between a Secrets Manager instance and your existing CA and DNS providers. In this release, you can connect your Secrets Manager instance to Let's Encrypt and order certificates for domains that you manage in IBM Cloud Internet Services or IBM Cloud classic infrastructure
  • Order and automatically renew certificates: Request domain-validated Let's Encrypt certificates and enable automatic rotation so that your certificates never expire.
  • Define access with secret groups: Assign granular access to a group of certificates so that you can control who on your team, or which service ID, has access to them. 
  • Protect your certificates at rest: Manage encryption with a root key in IBM Key Protect or IBM Cloud Hyper Protect Crypto Services to enhance the security of your stored certificates and their private keys.
  • Monitor and audit activity: Track how users and applications interact with secrets in your instance by using IBM Cloud Activity Tracker.

When support for notifications becomes available in Q4 of 2021, we'll let you know so that you can start planning the next phase of your team's Secrets Manager-powered story. Stay tuned!

Ready to get started?

Start by provisioning an IBM Cloud Secrets Manager service instance in the IBM Cloud console. Because a dedicated instance of the service is provisioned, it can take a few minutes. While you wait, you can continue to work elsewhere in IBM Cloud, or you might consider learning more about the best practices for organizing secrets and assigning access.

If you're working from an existing instance, you can go to Secrets engines > Public certificates to prepare your instance for certificate ordering. 

  1. Define the certificate authority and DNS provider that you want to use:
    Define the certificate authority and DNS provider that you want to use:
  2. Use your defined configurations to order a certificate:
    Use your defined configurations to order a certificate:

Need help? Check out the IBM Cloud documentation for detailed information about using Secrets Manager to order certificates.

Questions? Contact us

We’d love to hear from you. To send feedback, you can open a GitHub issue from a link at the top of any page in the documentation, open a support ticket or reach out directly through email. 

If you've made it this far and have more questions about Secrets Manager, we've got you! Check out our introductory blog on Secrets Manager or take a look at the FAQs

Be the first to hear about news, product updates, and innovation from IBM Cloud