The process for uploading certs/keys to a CF custom domain is supported by both the UI (under manage orgs/domains) and the BX CLI (bx app domain-cert-add ...). But that process is often the source of errors and requires that the consumer of the custom domain be given the cert/key files to upload (and some teams restrict access to these files).
I've tested the differences in behavior and error checking between the cert upload process for a CF domain (UI and CLI) and that same process for the IBM Certificate Manager. The IBM Certificate Manager does a few more checks on the cert/key data (preventing bad combos/expired certs).
If the process of identifying and storing cert/key data for CF custom domains (which the UI/CLI does today to push them into the DataPower devices that support the custom domain request) were to allow us to point at a cert/key entry in an IBM Certificate Manager service instance created for the account, then you could allow reuse of certs from a single source (for other consumers, such as container-based apps) and CF apps and maybe even APIc. This would also improve the client experience:
- a cert loaded is done; configuring custom domains becomes easier as you just point at the existing cert already loaded.
- the IBM Certificate Manager UI is better at the load/check process
- the IBM Certificate Manager UI natively shows more information about the cert (when it expires) without having to open each individual cert that has been loaded.
Do not place IBM confidential, company confidential, or personal information into any field.