You can enable your IBM Cloud® Secrets Manager service instance to order certificates by configuring the public certificates engine.
In Secrets Manager, the public certificates engine serves as the back end for the public_cert secret type. Public certificates are domain-validated TLS certificates that you can order and manage in the service. Before you can order
a certificate, you must enable your service instance by connecting supported certificate authorities (CA) and DNS providers.
Ordering a certificate through Secrets Manager is an asynchronous process that can take a few minutes to complete.
Supported certificate authorities
A certificate authority (CA) is an entity that issues digital certificates. You can connect the following certificate authorities with your Secrets Manager service instance.
Let’s Encrypt is a free, automated, ACME-based certificate authority that provides domain validated certificates valid for 90 days. It is a service that is provided by the Internet Security Research Group (ISRG).
Creating a Let's Encrypt ACME account
To connect with Let's Encrypt, Secrets Manager uses the Automatic Certificate Management Environment (ACME) protocol. The ACME protocol makes it possible
to automatically obtain browser trusted certificates from a certificate authority without human intervention.
You can grant service access to Let's Encrypt by registering an ACME account and providing your account credentials. If you have a working ACME client or account for Let's Encrypt, you can use your existing private key. If you don't have an
account yet, you can create one by using the ACME account creation tool.
Certificate authorities can apply a charge when you are ordering or renewing a certificate. Additionally, various rate limits apply. Secrets Manager does not control costs or rate limits that are associated with ordering certificates. For
more information about rate limits to keep in mind as you order Let's Encrypt certificates, check out the Let's Encrypt documentation.
Supported DNS providers
A DNS provider is the service that is used to manage the domains that you own. You can connect the following DNS providers with your Secrets Manager service instance.
IBM Cloud® Internet Services (CIS), powered by Cloudflare, provides a fast, highly performant, reliable, and secure internet service for customers who are running their business on IBM Cloud.
IBM Cloud® Domain Name Registration, available as part of IBM Cloud classic infrastructure (SoftLayer), offers a central location from which to view and manage domains.
If your DNS provider is not IBM Cloud Internet Services or IBM Cloud Domain Name Registration, you can connect your Secrets Manager to your DNS provider manually.
Granting service access to CIS
If you manage your domains in Cloud Internet Services (CIS), you must assign access to Secrets Manager so that it can validate the ownership. To authorize Secrets Manager to manage a CIS instance and its domains, you can create an authorization between the services.
If you're working with a CIS instance that is located in another account, you can also use an API key to manage access. For more information, see Granting service access by using an API key.
Granting service access to CIS
You can grant Secrets Manager the ability to access your CIS instance and all of its domains by creating a service authorization between the services.
To create a service authorization, you can use the Access (IAM) section of the console.
In the console, click Manage > Access (IAM), and select Authorizations.
Click Create.
Select a source account for the authorization.
Select a source and target service for the authorization.
From the Source service list, select Secrets Manager.
From the Target service list, select Internet Services.
Specify a service instance for both the source and the target.
Select the Manager role. With these permissions, your Secrets Manager instance can manage the CIS instance and its domains.
Optional: To grant access to a specific domain, select Resources based on selected attributes and provide the Domain ID for the CIS instance.
For production environments, it is recommended that you assign access only to the specific domains.
If the CIS instance that you'd like to access is located in another account, you can create an authorization between the services by providing an API key. You need the Cloud Resource Name (CRN) of the CIS instance that contains your domains,
and an API key with the correct level of access to your instance. The API key must grant Secrets Manager the ability to view the CIS instance, access its domains, and manage TXT records.
If the CIS instance is located in an account that allows access to only specific IP addresses, you must also update the IP address restrictions in the account to allow incoming requests from Secrets Manager. For more information, see
Managing access with context-based restrictions.
To assign access, you can use the Access (IAM) section of the console.
Log in to the account in which your CIS instance is located.
Click Manage > Access (IAM), and select Service IDs.
Assign the required access to view the CIS instance, access its domains, and manage TXT records.
In the row of the service ID, click the Actions icon > Assign access.
Click the Access policy tile.
From the list of services, select Internet Services and click Next.
Select Resources based on selected attributes.
In the Service instance field, select your CIS instance.
In the Roles and actions section, select the Manager role. If you want to grant the service ID the ability to access the CIS instance from the Resource list in the IBM Cloud console, you can also assign the Viewer platform role.
Click Review > Add > Assign to complete the access assignment.
If you manage domains by using classic infrastructure, you must grant service access to its DNS service so that Secrets Manager can validate the ownership of your domains. You need your classic infrastructure account credentials before you
can grant access.
To obtain your classic infrastructure username and API key, you can use the Access (IAM) section of the console.
You can view and access your classic infrastructure credentials from the Access (IAM) section of the console only if you are a classic infrastructure user. If you do not have classic infrastructure access, the VPN username
and classic infrastructure API key fields do not display on the page. For more information, see Managing classic infrastructure access.
In the console, go to Manage > Access (IAM) > Users, then select the user's name.
In the VPN password section, copy the Username value.
In most cases, your classic infrastructure username is your <account_id>_<email_address>. This username is also your VPN username for the account.