CLoud certificate-manager vs SSL service

Question

Can you please help in understanding the below concerns w.r.t IBM Cloud Certificate manager service:-

1) How does the IBM CLoud certificate manager stores the certificates behind the scenes? Is there any HSM or something else which act as a backend for certificate Manager? Any documentation /reference link will be of help. Pls advise

2) How is it different from SSL service like for applying TLS certificated on IBM Cloud Load Balancer we get an option to upload the certificate/private key on SSL service, ideally shouldn't it be handled by Certificate Manager itself ? please help in understand the use-case like when to use SSL service vs Certificate Manager?

Answer 1

Here are some answers. Hope they help:

1) In the IBM Cloud Certificate Manager service the SSL certificates and their associated private keys are stored encrypted in a database, not in an HSM. The root key used for encryption of the SSL private keys is stored in an HSM. The reason that the SSL private keys are not in an HSM is that ultimately the certificates and keys need to be deployed from Certificate Manager to endpoints that do SSL termination, where certificates are not kept in an HSM.

2) If you are referring to the SSL Certificates service in IBM Cloud - that service allows you to order SSL certificates from partner Certificate Authorities. The IBM Cloud Certificate Manager service is different - it is a service that serves as a secure repository for your certificates, and is a certificate life-cycle management tool - it sends you proactive notifications before your certificates expire to help you avoid outages, gives you visibility into the certificates you have and where they are in use (including private and client certificates that you store in Certificate Manager), and APIs to deploy the certificates to SSL termination points. In IBM Kubernetes Service or in IBM API Connect, you can directly select the certificate you want to deploy from Certificate Manager instead of uploading a certificate and key directly in those service If you want to order a certificate you can do so from the SSL Certificate service, and then import it to and manage it in the Certificate Manager service.

I am part of the IBM cloud Certificate Manager team

Answer 2

Another query, we have a requirement where our deployed PODs in K8S cluster want to access the Keys stored in Certificate Manager, is there a way we can achieve this using API's. As per the understanding, we can make use of K8S secret for deploying SSL certs over Ingress Controller, but we're not clear how to enable Certificate access to PODs deployed in K8S

Answer 3

Yes you can use the IBM Kubernetes CLI: https://console.bluemix.net/docs/containers/cs_ingress.html#ingress Search for 'Certificate Manager' in the document.

Also see this blog for a tutorial: https://www.ibm.com/blogs/bluemix/2018/10/add-custom-domain-and-tls-certificate-to-your-secure-cloud-app/