Introducing IBM zSecure Secret Manager: Streamlining certificate lifecycle management to IBM z/OS

Available 19 June 2026, IBM zSecure Secret Manager enables organizations to move from manual, fragmented certificate processes to policy-driven automation of certificate renewal to reduce operational overhead

Certificates are critical to securing systems and ensuring trust, and without a reliable renewal process, organizations face heightened risk of service outages and the growing operational burden of manual certificate management.

Across the enterprise, organizations are standardizing on centralized secrets management platforms to manage credentials, keys and certificates. Enterprise Secrets platforms like IBM Vault Self-Managed for Z and LinuxONE provide a system of record for secrets, enabling secure issuance, storage and lifecycle control across applications and environments.

However, in many IBM z/OS environments, certificate lifecycle management still relies on manual, application-specific processes:

• Certificates are tracked independently across systems and teams
• Renewal workflows require coordination between application owners and certificate authorities
• Credentials and secrets are often duplicated across environments, increasing risk and complexity

At the same time, certificate lifespans are rapidly shrinking, increasing the frequency of renewal events.

This creates a gap: while organizations are modernizing secrets management centrally, certificate lifecycle execution has not kept pace.

IBM zSecure Secret Manager looks to address this gap by extending certificate management strategies directly into IBM z/OS environments.

Working with IBM Vault Self-Managed for Z and LinuxONE, the solution enables:

• Secured authentication and integration with IBM Vault Self-Managed for Z and LinuxONE for certificate renewal
• Policy-driven, automated certificate renewal through IBM Vault Self-Managed for Z and LinuxONE’s PKI secrets engine
• Centralized alignment with enterprise PKI strategies

IBM Vault Self Managed for Z and LinuxONE serves as the central authority for certificate and secrets management, while IBM zSecure Secret Manager ensures that certificates are automatically renewed and applied within IBM z/OS—eliminating the need for manual intervention.

By combining IBM Vault Self-Managed for Z and LinuxONE based certificate management with automated lifecycle execution on IBM Z, organizations can:

• Eliminate manual certificate renewal processes: Replace fragmented workflows with automated, policy-driven lifecycle management
• Scale with shrinking certificate lifespans: Support the transition to short-lived certificates without increasing operational burden
• Extend enterprise certificate management strategies to IBM Z: Integrate with IBM Vault Self-Managed for Z and LinuxONE as the Certificate Authority (CA)
• Address certificate-driven outages: Automatically renew certificates before expiration, addressing a common source of downtime

Future plans include designing and delivering several additional functionalities to IBM zSecure Secret Manager, such as:

• ACME protocol support for external Certificate Authorities (CAs)
• Certificate discovery on z/OS across multiple keystores
• Automated certificate deployment functionality
• Centralized secret management with Vault Self-Managed on Z and LinuxONE

These functionalities are intended to further simplify overall secret management on z/OS, including the upcoming industry shift for Transport Layer Security (TLS) certificate renewal every 47 days.¹

IBM zSecure Secret Manager brings IBM z/OS into the modern secrets management architecture—connecting it with IBM Vault Self-Managed for Z and LinuxONE and enabling automated certificate renewal.

IBM zSecure Secret Manager will be generally available from 19 June 2026.

As organizations move toward centralized secrets strategies and shorter certificate lifecycles, this integration empowers z/OS environments’ participation for greater efficiencies.  

Read the announcement letter