IBM Cloud Docs
Preparing to order public certificates

Preparing to order public certificates

You can enable your IBM Cloud® Secrets Manager service instance to order certificates by configuring the public certificates engine.

In Secrets Manager, the public certificates engine serves as the back end for the public_cert secret type. Public certificates are domain-validated TLS certificates that you can order and manage in the service. Before you can order a certificate, you must enable your service instance by connecting supported certificate authorities (CA) and DNS providers.

Ordering a certificate through Secrets Manager is an asynchronous process that can take a few minutes to complete.

Supported certificate authorities

A certificate authority (CA) is an entity that issues digital certificates. You can connect the following certificate authorities with your Secrets Manager service instance.

Table 1. Certificate authority options
Authority Description
Let's Encrypt Let’s Encrypt is a free, automated, ACME-based certificate authority that provides domain validated certificates valid for 90 days. It is a service that is provided by the Internet Security Research Group (ISRG).

Creating a Let's Encrypt ACME account

To connect with Let's Encrypt, Secrets Manager uses the Automatic Certificate Management Environment (ACME) protocol. The ACME protocol makes it possible to automatically obtain browser trusted certificates from a certificate authority without human intervention.

You can grant service access to Let's Encrypt by registering an ACME account and providing your account credentials. If you have a working ACME client or account for Let's Encrypt, you can use your existing private key. If you don't have an account yet, you can create one by using the ACME account creation tool.

Certificate authorities can apply a charge when you are ordering or renewing a certificate. Additionally, various rate limits apply. Secrets Manager does not control costs or rate limits that are associated with ordering certificates. For more information about rate limits to keep in mind as you order Let's Encrypt certificates, check out the Let's Encrypt documentation.

Supported DNS providers

A DNS provider is the service that is used to manage the domains that you own. You can connect the following DNS providers with your Secrets Manager service instance.

Table 2. DNS provider options
DNS provider Description
IBM Cloud Internet Services IBM Cloud® Internet Services (CIS), powered by Cloudflare, provides a fast, highly performant, reliable, and secure internet service for customers who are running their business on IBM Cloud.
IBM Cloud classic infrastructure IBM Cloud® Domain Name Registration, available as part of IBM Cloud classic infrastructure (SoftLayer), offers a central location from which to view and manage domains.
Manual DNS providers If your DNS provider is not IBM Cloud Internet Services or IBM Cloud Domain Name Registration, you can connect your Secrets Manager to your DNS provider manually.

Granting service access to CIS

If you manage your domains in Cloud Internet Services (CIS), you must assign access to Secrets Manager so that it can validate the ownership. To authorize Secrets Manager to manage a CIS instance and its domains, you can create an authorization between the services.

If you're working with a CIS instance that is located in another account, you can also use an API key to manage access. For more information, see Granting service access by using an API key.

Granting service access to CIS

You can grant Secrets Manager the ability to access your CIS instance and all of its domains by creating a service authorization between the services.

To create a service authorization, you can use the Access (IAM) section of the console.

The figure shows a simplified IAM dashboard with numbered steps for creating an authorization between Secrets Manager and Cloud Internet Services. The steps are described in the following text.
Figure 1. Creating a service authorization between Secrets Manager and CIS

  1. In the console, click Manage > Access (IAM), and select Authorizations.

  2. Click Create.

  3. Select a source account for the authorization.

  4. Select a source and target service for the authorization.

    1. From the Source service list, select Secrets Manager.
    2. From the Target service list, select Internet Services.
  5. Specify a service instance for both the source and the target.

  6. Select the Manager role. With these permissions, your Secrets Manager instance can manage the CIS instance and its domains.

  7. Optional: To grant access to a specific domain, select Resources based on selected attributes and provide the Domain ID for the CIS instance.

    For production environments, it is recommended that you assign access only to the specific domains.

  8. Click Authorize

  9. Complete the steps to add a certificate authority configuration to your Secrets Manager instance.

Granting service access for another account

If the CIS instance that you'd like to access is located in another account, you can create an authorization between the services by providing an API key. You need the Cloud Resource Name (CRN) of the CIS instance that contains your domains, and an API key with the correct level of access to your instance. The API key must grant Secrets Manager the ability to view the CIS instance, access its domains, and manage TXT records.

If the CIS instance is located in an account that allows access to only specific IP addresses, you must also update the IP address restrictions in the account to allow incoming requests from Secrets Manager. For more information, see Managing access with context-based restrictions.

To assign access, you can use the Access (IAM) section of the console.

  1. Log in to the account in which your CIS instance is located.

  2. Click Manage > Access (IAM), and select Service IDs.

  3. Create a service ID API key or select an existing one.

  4. Assign the required access to view the CIS instance, access its domains, and manage TXT records.

    1. In the row of the service ID, click the Actions icon Actions icon > Assign access.
    2. Click the Access policy tile.
    3. From the list of services, select Internet Services and click Next.
    4. Select Resources based on selected attributes.
    5. In the Service instance field, select your CIS instance.
    6. In the Roles and actions section, select the Manager role. If you want to grant the service ID the ability to access the CIS instance from the Resource list in the IBM Cloud console, you can also assign the Viewer platform role.
    7. Click Review > Add > Assign to complete the access assignment.
  5. Complete the steps to add a DNS configuration to your Secrets Manager instance.

Granting service access to classic infrastructure

If you manage domains by using classic infrastructure, you must grant service access to its DNS service so that Secrets Manager can validate the ownership of your domains. You need your classic infrastructure account credentials before you can grant access.

To obtain your classic infrastructure username and API key, you can use the Access (IAM) section of the console.

You can view and access your classic infrastructure credentials from the Access (IAM) section of the console only if you are a classic infrastructure user. If you do not have classic infrastructure access, the VPN username and classic infrastructure API key fields do not display on the page. For more information, see Managing classic infrastructure access.

The figure shows a simplified IAM dashboard with numbered steps for viewing your classic infrastructure username and API key. The steps are described in the following text.
Figure 2. Viewing your classic infrastructure username and API key

  1. In the console, go to Manage > Access (IAM) > Users, then select the user's name.

  2. In the VPN password section, copy the Username value.

    In most cases, your classic infrastructure username is your <account_id>_<email_address>. This username is also your VPN username for the account.

  3. In the API keys section, create a classic infrastructure API key or find your existing key.

  4. Click the Actions icon Actions icon > Details to copy the API key value.

  5. Assign your user permissions to manage DNS in the account.

    For more information about managing classic infrastructure access, see Classic infrastructure permissions.

    1. Click the Classic infrastructure tab to manage your classic infrastructure permissions.
    2. In the Services section, ensure that the Manage DNS permission is selected.
  6. Complete the steps to add a DNS configuration to your Secrets Manager instance.

Next steps

Now you're ready to add engine configurations to your instance.

First, add a certificate authority configuration then, add a DNS provider configuration.