CLM
CLM
Bring SSL.com into the CLM platform you already trust.
Certificate Lifecycle Management (CLM) is the discipline of discovering, inventorying, issuing, renewing, and revoking certificates across your entire estate. Most enterprises run this through a dedicated CLM platform — Venafi (now part of CyberArk) and Keyfactor are the two most widely deployed. SSL.com integrates as a CA into both — and exposes two REST APIs for custom integrations — so you can keep your existing CLM platform, workflows, and inventory, and use SSL.com for the certificates themselves.
What CLM is, and who does what
Certificate Lifecycle Management (CLM) spans the full life of a certificate: discovery on the network, inventory across teams and CAs, issuance, deployment, monitoring, renewal, and revocation. Different parts of that lifecycle are owned by different layers of the stack.
If you already run Venafi TPP or Keyfactor Command, you don’t need SSL.com to also be a CLM platform — you need SSL.com to plug into the one you already have. That’s what this page covers.
| Layer | What it does | Where SSL.com fits |
|---|---|---|
| CLM platform (Venafi, Keyfactor) | Discovery, multi-CA inventory, approval workflows, request forms, RBAC, audit, reporting, policy | SSL.com integrates as a CA into the platform via a published driver/plugin |
| Automation protocol (ACME) | Standardised, unattended issuance and renewal | SSL.com is a fully ACME-compatible CA — see the ACME page |
| REST APIs (SWS API, Developer Portal API) | Programmatic access to the full certificate lifecycle for custom integrations | Both are published and supported by SSL.com — see REST APIs section below |
| Certificate Authority (SSL.com) | Validation, issuance, revocation, expiry notifications, account-level management | The CA layer of your CLM stack |
Native lifecycle features at SSL.com
These features are provided directly inside the SSL.com account and require no integration:
Integration — Venafi TPP (CyberArk)
SSL.com integrates with Venafi Trust Protection Platform (TPP) — now part of the CyberArk Machine Identity Security portfolio — through the SSL.com Adaptable Driver for Venafi.
What the integration provides
- Full lifecycle automation through Venafi: request, issuance, renewal, and revocation of SSL.com certificates from the Venafi platform
- Coverage across SSL.com certificate types: SSL/TLS, client authentication, S/MIME, and code signing
- Built on the SWS API: the driver communicates with SSL.com via the SWS API so the full certificate lifecycle and real-time data are available inside Venafi
- Centralised visibility and policy: Venafi remains the single pane of glass — SSL.com appears as one of the CAs Venafi can issue against
How to deploy
The driver is published on the Venafi / CyberArk Marketplace. Install it into your Venafi TPP environment, configure SSL.com account credentials, and define the SSL.com products your team should be able to issue against.
Integration — Keyfactor Command
SSL.com integrates with Keyfactor Command through the SSL.com AnyCA Gateway REST plugin, published and maintained on Keyfactor’s GitHub.
What the integration provides
- Issue, revoke, and synchronise SSL.com certificates from Keyfactor Command, alongside any other CAs Keyfactor manages
- Modern REST-based architecture: runs against Keyfactor’s AnyCA Gateway REST framework rather than the legacy DCOM gateway
- Configurable certificate templates: map SSL.com product IDs to certificate profiles in Keyfactor; control lifetime and other parameters via Command’s enrollment fields
- Compatible with Keyfactor Command v12.3 and later
How to deploy
Install the AnyCA Gateway REST per Keyfactor’s documentation, drop the SSL.com plugin into the Gateway’s Extensions directory, restart the service, and add SSL.com as an HTTPS CA inside Keyfactor Command.
Keyfactor GitHub plugin · Keyfactor AnyCA Gateway REST documentation
REST API interfaces
SSL.com exposes its certificate lifecycle through two REST/JSON APIs. Either can be used directly to build custom CLM workflows, or as the integration substrate beneath a third-party CLM platform. Both authenticate against an SSL.com account, return JSON, and cover the full certificate lifecycle.
| API | What it is | When to use |
|---|---|---|
| SWS API (SSL.com Web Services) | The established REST API. Drives certificate ordering, validation, issuance, re-keying, revocation, and account management. Backed by a public sandbox for safe testing. | Existing partner integrations, the SSL.com Adaptable Driver for Venafi, and most current automation work. Stable, broadly deployed, well-documented. |
Developer Portal API at api.ssl.com | The newer REST API and self-service developer portal — same lifecycle, refreshed surface, and a member portal for credentials and docs. Staging at api.staging.ssl.com. | Recommended for new integration work. Use staging for development; promote to production against api.ssl.com when ready. |
Choosing an approach
| Your situation | Recommended approach |
|---|---|
| Small fleet, mostly public-facing TLS, no existing CLM platform | Use SSL.com's native expiry notifications and ACME automation |
| Mid-size estate, DevOps-driven, no CLM platform | ACME for issuance/renewal automation, plus SSL.com's native account-level features for tracking |
| Already running Venafi TPP / CyberArk Machine Identity Security | Install the SSL.com Adaptable Driver — keep Venafi as your single pane of glass |
| Already running Keyfactor Command | Install the SSL.com AnyCA Gateway REST plugin — keep Keyfactor as your single pane of glass |
| Custom in-house tooling or integrating with a CLM platform not listed above | Build against the SWS API or the Developer Portal API at api.ssl.com |
| Need network discovery, multi-CA inventory, approvals, request forms, or fleet-wide RBAC | Adopt a CLM platform (Venafi or Keyfactor) and integrate SSL.com using the relevant plugin |
