Skip to content
QCecuring

Technical Architecture

SSL-CLM Technical Architecture

Section titled “SSL-CLM Technical Architecture”

SSL-CLM is built on a modular, service-oriented architecture designed for scalability, extensibility, and secure enterprise deployment.

Architecture Overview

Section titled “Architecture Overview”

SSL-CLM consists of four primary layers:

  1. Web Interface – Centralized management UI
  2. Core API Services – Certificate lifecycle orchestration
  3. Integration Layer (SPI Model) – Pluggable CA, store, and discovery connectors
  4. Agent Layer (Optional) – Secure execution on managed hosts

System Architecture Overview

Section titled “System Architecture Overview”

SSL-CLM uses a modular, service-oriented architecture with pluggable integrations:

┌─────────────────────────────────────────────────────────────┐
│                        Web UI (Angular)                      │
└────────────────────────────┬────────────────────────────────┘
                             │ HTTPS/REST
┌────────────────────────────▼────────────────────────────────┐
│                     API Gateway (Spring Boot)                │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
│  │ Certificate  │  │  Discovery   │  │   Workflow   │      │
│  │   Service    │  │   Service    │  │   Engine     │      │
│  └──────────────┘  └──────────────┘  └──────────────┘      │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
│  │   Policy     │  │   Reporting  │  │   Scheduler  │      │
│  │   Engine     │  │   Service    │  │   Service    │      │
│  └──────────────┘  └──────────────┘  └──────────────┘      │
└────────────────────────────┬────────────────────────────────┘
                             
┌────────────────────────────▼────────────────────────────────┐
│                    SPI Integration Layer                     │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
│  │  CAGateway   │  │ CertStore    │  │  Discovery   │      │
│  │     SPI      │  │     SPI      │  │   Source SPI │      │
│  └──────────────┘  └──────────────┘  └──────────────┘      │
└─────────┬──────────────────┬──────────────────┬─────────────┘
          │                  │                  │
┌─────────▼────────┐ ┌───────▼────────┐ ┌──────▼──────────┐
│  Microsoft ADCS  │ │ Windows Store  │ │  Network Scan   │
│    DigiCert      │ │ Java Keystore  │ │  Cloud APIs     │
│    Entrust       │ │ Azure KeyVault │ │  Agent-Based    │
│    Sectigo       │ │ AWS Secrets    │ │  Discovery      │
└──────────────────┘ └────────────────┘ └─────────────────┘
          │                  │                  │
┌─────────▼──────────────────▼──────────────────▼─────────────┐
│                    Database (MongoDB)                        │
│  Certificates | Hosts | Agents | Policies | Audit Logs      │
└──────────────────────────────────────────────────────────────┘

Core Platform Services

Section titled “Core Platform Services”

The platform includes:

  • Certificate Service – Inventory and lifecycle state management
  • Discovery Engine – Automated certificate detection
  • Workflow Engine – Enrollment, deployment, renewal orchestration
  • Policy Engine – Cryptographic policy enforcement
  • Reporting Service – Risk, compliance, and expiration reporting
  • Scheduler – Automated renewal and discovery execution

All services are stateless and horizontally scalable.

Integration Model (SPI-Based)

Section titled “Integration Model (SPI-Based)”

SSL-CLM uses a Service Provider Interface (SPI) framework to integrate with external systems.

Certificate Authorities

Section titled “Certificate Authorities”

Supports enterprise and public CAs through pluggable gateways:

  • Microsoft AD CS
  • Smallstep CA
  • DigiCert
  • Entrust
  • Sectigo
  • ACME-compatible services

Certificate Stores

Section titled “Certificate Stores”

Supports deployment targets such as:

  • Windows Certificate Store
  • Java Keystore (JKS/PKCS12)
  • Azure Key Vault
  • AWS Secrets Manager
  • File-based PEM stores

Discovery Sources

Section titled “Discovery Sources”
  • Network-based TLS scanning
  • Cloud provider APIs
  • Agent-based local discovery
  • Load balancer integrations

The capability-driven model ensures the platform adapts automatically to integration capabilities.

Agent Architecture

Section titled “Agent Architecture”

SSL-CLM uses lightweight agents for:

  • Local certificate discovery
  • Secure certificate deployment
  • Store validation
  • Job execution reporting

Security Model

Section titled “Security Model”
  • Mutual TLS communication
  • Token-based authentication
  • Capability declaration during registration
  • Heartbeat monitoring
  • Secure identity storage

Agents operate with least privilege and report execution status back to the platform.

Deployment Models

Section titled “Deployment Models”

SSL-CLM supports multiple deployment patterns:

On-Premise

Section titled “On-Premise”

Full internal deployment within enterprise infrastructure.

Cloud-Hosted

Section titled “Cloud-Hosted”

Deployed in AWS, Azure, or GCP with managed scaling.

Hybrid

Section titled “Hybrid”

Cloud control plane with on-premise agents.

SaaS

Section titled “SaaS”

Fully managed service operated by QCecuring.

Scalability & Resilience

Section titled “Scalability & Resilience”
  • Stateless API nodes behind load balancers
  • Horizontal scaling support
  • Replica-set database architecture
  • Asynchronous job processing
  • Automated renewal scheduling

Designed for environments managing thousands to millions of certificates.

Security Principles

Section titled “Security Principles”
  • End-to-end TLS encryption
  • Role-based access control
  • Immutable audit logging
  • Policy-driven cryptographic governance
  • Secure secret handling

Summary

Section titled “Summary”

SSL-CLM combines:

  • Centralized certificate visibility
  • Automated lifecycle orchestration
  • Pluggable integrations
  • Secure distributed execution
  • Enterprise-grade scalability