What should a truly practical CLM look like?March 2, 2026

Why has CLM become so urgent today? There are four main reasons:

• The Internet of Things (IoT) necessitates HTTPS, making large-scale management a necessity.
  From traditional web servers to mobile app backends, API gateways, IoT, connected vehicles, cloud containers, edge nodes, and even communication components in industrial control networks, every endpoint requires HTTPS encrypted transmission. A medium-sized enterprise may manage hundreds of certificates, while large groups or CII operators often face the distributed management of thousands or even tens of thousands of certificates. The purely manual ledger, table record, and manual renewal model is already overwhelmed, leading to frequent business interruptions due to missed renewals and misconfigurations.
• The 47-day validity period will become the new normal, leading to an exponential increase in operational pressure.
  The shortened certificate validity period to 47 days means monthly certificate renewals are necessary. For CII operators with a large number of certificates, this translates to almost daily certificate expiration. Automated renewal is no longer just an "efficiency improvement tool," but a core component of "business continuity assurance".
• With increasingly stringent compliance and auditing requirements.
  The Cybersecurity Law, Data Security Law, Cryptography Law, and the Regulations on the Security Protection of Critical Information Infrastructure all impose explicit requirements on encrypted communications. Standards such as Cybersecurity Classified Protection 2.0, ISO 27001, and PCI DSS also require the inventory, monitoring, and policy management of certificate assets. A CLM system provides a complete certificate inventory, status tracking, policy enforcement reports, and audit logs, making it an essential capability for compliance auditing.
• Addressing Future Security Threats in Quantum Computing.
  The development of quantum computers poses a potential threat to future public-key cryptography systems, and the "harvest now, decrypt later" security threat already exists. The global industry is migrating to post-quantum cryptography (PQC). This means that in the coming years, CII operators will face a complex scenario where traditional RSA/ECC/SM2 SSL certificates coexist with PQC SSL certificates, are deployed in a hybrid manner, and are gradually migrated. CLM systems must possess algorithmic agility and be able to smoothly support the certificate lifecycle management of both old and new algorithms; otherwise, future migration will be extremely costly.

Obviously not. For critical infrastructure operators such as governments, financial institutions, energy companies, transportation companies, and telecommunications companies, automatic certificate management is merely a fundamental component of their massive security transformation and upgrade projects. CII operators face a "complex security challenge", including but not limited to:

• Cryptographic compliance and global trust
  In accordance with relevant laws and regulations, CII systems must use SM2 algorithms for encryption and signing. This means that it is necessary to manage a dual-algorithm certificate system that simultaneously supports international algorithms (RSA/ECC) and the Chinese cryptographic algorithm (SM2), and ensure that it can serve the same or different business scenarios (such as browser adaptive compatibility), while meeting the application requirements of both cryptographic compliance and global trust.
• Post-quantum cryptography migration
  PQC migration is not only a strategic project that will last for several years and be implemented in stages, but also an urgent project that must begin now. CII operators need a unified platform capable of simultaneously managing RSA/ECC certificates, SM2 certificates, and future PQC certificates, with advanced capabilities such as canary releases and traffic scheduling. Furthermore, it needs the ability to smoothly migrate from hybrid PQC algorithms to pure PQC algorithms.
• Integrated security protection
  HTTPS encryption only solves transport layer security, but application layer threats such as OWASP Top 10 attacks, SQL injection, API abuse, and malicious crawlers still require protection from Web Application Firewall (WAF). Specifically, this protection should be for HTTPS encrypted traffic, not plaintext HTTP traffic. This necessitates that WAF devices also integrate automatic certificate management capabilities.
• Hybrid IT architectures
  CII operators’ IT assets often span traditional data centers, private clouds, public clouds, CDNs, and edge nodes. SSL certificates need to be deployed across multiple locations, including physical servers, load balancers, cloud WAFs, and CDN service providers. A lack of unified management can lead to "certificate silos" and security blind spots.
• High availability and high performance requirements
  Disruption of critical information infrastructure has a major impact. Certificate issuance, deployment, and renewal processes must be highly available and have low latency, and should not become a performance bottleneck, especially in high-concurrency scenarios.

ZoTrus CLM solution upgrades CLM from a "software solution" to a "hardware solution", employing an integrated hardware and software module on an HTTPS Automation Gateway. This brings three fundamental benefits :

• High reliability and high performance: High-performance cybersecurity hardware provides a stable computing environment and features a built-in hardware acceleration card for both SM2 and RSA/ECC algorithms, enabling high-performance processing of SSL/TLS handshakes and encryption/decryption. This far surpasses pure software solutions that only provide certificate management services; it can perform its own tasks (HTTPS encryption) and is an innovative product that can replace traditional SSL gateways that do not support automatic certificate management.
• Clear boundaries and easy deployment: Deployed as a physical gateway device at the network boundary or core area, it eliminates the need to install proxy software on every server, requires zero modification to the original web server, does not intrude on business systems, does not interrupt existing business operations, simplifies the architecture, enables seamless deployment, and greatly reduces the complexity of operation and maintenance.
• Self-contained security domain: The gateway device is based on a high-end cybersecurity hardware platform and features strong security reinforcement. It provides a built-in cryptographic card certified by commercial cryptographic products, ensuring secure management of ACME keys and SSL certificate private keys. All SSL certificate private keys remain within the gateway hardware, eliminating the risk of certificate private key leakage. This level of security far surpasses traditional methods of manually managing certificate private keys through multiple parties and channels.

• Hybrid PQC Algorithm: Immediately implement HTTPS encryption for critical core business systems that simultaneously support the hybrid PQC algorithm X25519MLKEM768 and SM2MLKEM768, prioritize the use of the PQC algorithm. And it works closely with ZT Browser to prioritize the use of the SM2MLKEM768 algorithm, while also meeting the cryptographic compliance and post-quantum cryptography migration needs for CII operators.
• Pure PQC Algorithm: Once PQC algorithm SSL certificates are fully supported by CAs and browsers, PQC algorithm SSL certificate management capabilities and pure PQC algorithm HTTPS encryption capabilities can be seamlessly added through free system upgrades.
• Traditional SM2/ECC/RSA algorithms: Not only do they support hybrid PQC algorithms, but they also prioritize the use of the SM2 algorithm for browsers that do not support the PQC algorithm, while being compatible with the traditional RSA/ECC algorithm for other browsers that do not support the PQC algorithm.
• Internet and Intranet SSL Certificates: Not only does it support automatic management of Internet SSL certificates, but it can also automatically manage intranet SSL certificates (bound to private IP addresses), achieving unified management and a unified security baseline for internal and external network business systems.

ZoTrus CLM solution goes beyond the scope of traditional CLM, deeply integrating the following security protection capabilities that CII systems must possess:

• Integrated WAF protection: While providing HTTPS encryption, it performs real-time application-layer security detection and protection on decrypted HTTP traffic, defending against common web threats such as SQL injection, XSS, and CC attacks. It achieves two goals at once and completely solves the problem that the traditional WAF devices deployed do not support certificate automation.
• Clustered and unified management: Through a central management platform, hundreds or thousands of distributed servers and gateway devices can be managed uniformly, along with the certificate status of all websites served by these devices, load balancers, and cloud CDN/WAF services. This achieves the most secure "one site, one key, one certificate" deployment management, completely eliminating the insecure deployment method of traditional manual certificate management where a single wildcard certificate and a single private key are shared everywhere.
• Full lifecycle visualization: Provides a cockpit-style visualization dashboard that displays a global map of certificate assets, expiration heatmap, compliance status, and algorithm distribution, and provides alerts, reports, and audit logs.

• Standalone gateway mode: Directly acts as a front-end gateway for web servers, providing HTTPS acceleration and offloading, automatic dual SSL certificate management, and WAF protection.
• Certificate management platform mode: Provides unified certificate provisioning and update services for existing network architectures (such as load balancers, web clusters) or CDN/WAF cloud services without changing the existing network topology.
• Hybrid cloud support: Supports deployment in physical data centers, private clouds, and public clouds; plug-and-play functionality; unified management of web service nodes and edge gateways; adaptable to complex hybrid IT architectures.

In summary, to meet the demands of shortened certificate validity periods, in-depth reconstruction of cryptographic compliance, and the looming threat of quantum mechanics, a truly practical CLM solution must possess the following characteristics:

• Automation and intelligence: Full-process automation with intelligent early warning and strategy self-healing capabilities.
• Cryptographic algorithm agility: It natively supports both traditional international and China algorithms, and also supports post-quantum cryptographic algorithms. It prioritizes the use of the SM2 hybrid PQC algorithm to achieve smooth PQC migration.
• Architecture integration: It can be seamlessly integrated with commonly used CDN/ WAF services to form a collaborative defense.
• Enterprise-level reliability: Meets the stringent requirements of critical business operations for high availability, high performance, and auditability.
• Hybrid environment adaptability: It can seamlessly manage multi-form certificate application assets across cloud, local, edge, and endpoint.