IBM Cloud Docs
Provided TLS certificates for Code Engine projects

Provided TLS certificates for Code Engine projects

Code Engine applications and functions can be public to the internet, or private inside IBM Cloud. In both cases, your application or function is served as an HTTPS endpoint under codeengine.appdomain.cloud. Code Engine provides the TLS certificate for the encryption and regularly rotates it.

About certificates

A certificate authority (CA) typically signs TLS certificates that are used in the internet. That way, client applications throughout the world (such as browsers) must trust only the certificates authorized. Further, they do not require knowledge about the certificates of the millions of sites that exist in the internet.

Certificate authorities usually have only a few so-called root certificates, sometimes just one per algorithm (RSA or elastic curves). They are often valid for more than 10 or even 20 years. Certificate authorities use the private key of those root certificates to sign their own intermediate certificates. Those intermediate certificates have a short time in which they are valid, and their private keys are used to sign the leaf certificates for users.

User devices install truststores, which contain the root certificates of all the audited and certified certificate authorities. Operating systems usually contain truststores that all installed programs can use. Some browsers such as Google Chrome or Mozilla Firefox come with their own truststores.

Code Engine certificates and their certificate authority

Code Engine configures one certificate per project by using a wildcard hostname and therefore applies to all applications and functions that are deployed in that project. The certificates are valid for 90 days; Code Engine automatically renews them at least ten days before their expiration.

Let's Encrypt as the certificate authority

Code Engine uses Let's Encrypt as the certificate authority to sign Code Engine certificates; these certificates use the RSA algorithm. Therefore, the root certificate of the certificate chain is ISRG Root X1. Any truststore that contains this certificate can be used to access Code Engine. For a list of operation systems and browser versions that trust ISRG Root X1, see https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x1.

If you use older versions of browsers or operating systems, then download ISRG Root X1 from https://letsencrypt.org/certificates/. Install it in the relevant truststore by following the instructions of your browser or operating system vendor.

If you want to build your own truststore, trust ISRG Root X1, which you can download from https://letsencrypt.org/certificates/.

Need more control?

Let's Encrypt is a public certificate authority that anybody can use to sign certificates of its own domains. Therefore, trusting ISRG Root X1 means to trust all of these domains.

If you need to trust only your own application, then use custom domain mappings, which give you full control over when you issue and renew the certificate of your own domain. You can set up your client application to trust only the leaf certificate for your domain. You need a process for certificate renewals so that you can switch to a new certificate in the domain mapping’s TLS secret and in your client without communication issues. Typically, you first issue the new certificate. Next, you add it to the client’s truststore. After you update the TLS secret in your Code Engine project to the new certificate and key, you can remove the old certificate from the client’s truststore.