ZoTrus ACLM Gateway

For network administrators who need to manage SSL certificates for many websites, devices, and cloud services, they are no longer satisfied with single site certificate automation management solutions. They need a centralized management system for all dual-algorithm SSL certificates required by their organization's websites, systems, devices, cloud services, etc. They need to discover which systems in the entire organization have deployed SSL certificates, when they expire, and how to achieve lifecycle management of all SSL certificates required by these websites, systems, devices, and cloud services, including application, validation, retrieval, distribution, deployment, renewal, revocation, archiving and audit.

ZoTrus Technology empowers other systems, devices, and cloud services that require SSL certificates but do not support certificate automation to have ability of dual-algorithm SSL certificate automation management capabilities by its HTTPS Automation Gateway. This enables centralized and unified automatic management of the entire lifecycle of SSL certificates required by all systems, as named ACLM. The primary role of the ZoTrus ACLM Gateway is automatic certificate lifecycle management, centrally managing public and intranet SSL certificates; its backup role is as an HTTPS Automation Gateway, serving as a backup device when other SSL gateway devices are unavailable.

1. Product Introduction

ZoTrus ACLM Gateway is a new hardware product that adds an ACLM system to ZoTrus HTTPS Automation Gateway (ACME gateway), it is also the on-premises edition of ZoTrus ACLM Cloud Service. It is a comprehensive certificate management system that integrates functions such as certificate discovery, centralized monitoring, automatic certificate application, automatic certificate deployment, compliance auditing and risk alerts, HTTPS encryption offloading and forwarding, post-quantum cryptography migration and WAF protection. It automates the transformation of scattered and isolated ACME certificates into a unified automatic management system covering the entire organization, ensuring that SSL certificates on physical servers, virtualization platforms, container environments, or cloud services can be automatically managed throughout their entire lifecycle on a single platform.

ZoTrus ACLM Gateway and ZoTrus ACME Gateway lie in their different dimensions. ACME Gateway provides the technical foundation at the "point," solving the technical challenge of "how to automatically obtain certificates", serving as a tool for automating certificate acquisition. ACLM Gateway, on the other hand, adds comprehensive management and implementation to the "point", addressing the governance challenge of "how to automatically manage all certificates within an organization", providing a secure foundation for digital transformation. ACME Gateway is one of the devices managed by ACLM Gateway, which is a unified management platform for various devices requiring SSL certificates.

2. Main Functions

ZoTrus ACLM Gateway is designed for high security requirements and strict "zero-interference" needs for existing network services. It's not just a hardware gateway integrating an ACME client, but a comprehensive security device integrating Certificate Lifecycle Management (CLM), certificate automation, SM2 cryptography upgrades, post-quantum cryptography migration, and WAF protection. Its core innovation lies in the "hardware-based CLM" concept: integrating the CLM module, ACME service, SM2 cryptographic module, post-quantum cryptography module, and WAF engine into a single device deployed in front of the user's business servers. This not only provides automatic certificate management for the connected web servers but also empowers other systems and network devices in the organization's network architecture that do not support certificate automation, achieving unified and centralized management of dual-algorithm SSL certificates for all websites, systems, devices, and cloud services within the organization.

ZoTrus ACLM Gateway has the following four core functions:

• (1) Integrated hardware and software delivery to create a secure and reliable automatic middleware platform.

  ZoTrus ACLM Gateway upgrades CLM from a "software solution" to a "hardware solution", employing an integrated hardware and software module on the HTTPS Automation Gateway. This brings three fundamental benefits:

  High reliability and high performance: High-performance cybersecurity hardware provides a stable computing environment, with built-in hardware acceleration cards for both SM2 and RSA/ECC algorithms, enabling high-performance processing of SSL/TLS handshakes and encryption/decryption. This far surpasses pure software solutions that only provide certificate management services; it can perform its own tasks (HTTPS encryption) and is an innovative product that can replace traditional SSL gateways that do not support automatic certificate management.

  Clear boundaries and easy deployment: Deployed as a physical gateway device at the network boundary or core area, it eliminates the need to install proxy software on every server, requires zero modification to the original web server, does not intrude on business systems, does not interrupt existing business operations, simplifies the architecture, enables seamless deployment, and greatly reduces the complexity of operation and maintenance.

  Self-contained security domain: The Gateway is based on a high-end cybersecurity hardware platform and has strong security reinforcement. It provides a built-in cryptographic card that has passed commercial cryptographic product certification, which can ensure the secure management of ACME keys and SSL certificate private keys. All SSL certificate private keys do not leave the gateway hardware, eliminating the risk of certificate private key leakage. The security level is far higher than the traditional method of manual management of certificate private keys by multiple people and multiple channels.

• (2) Dual Algorithms and the "Smooth Transfer Engine" of Post-Quantum Cryptography

  ZoTrus ACLM Gateway embeds a "dual-algorithm certificate automation engine," automatically connecting to ZoTrus Cloud SSL Service System. This enables automatic switching between multiple CA issuance channels for the application, validation, validation, issuance, retrieval, deployment, and renewal of dual-algorithm RSA/ECC and SM2 SSL certificates, and allows for automatic negotiation of the optimal algorithm with the browser. More importantly, this is a dual-cryptography-ready architecture compatible with both traditional and post-quantum cryptography algorithms.

  Hybrid PQC Algorithm: Immediately implement HTTPS encryption for critical core business systems that simultaneously support the hybrid PQC algorithm X25519MLKEM768 and SM2MLKEM768. Prioritize the use of the PQC algorithm and work closely with ZT Browser to prioritize the use of the SM2MLKEM768 algorithm, while also meeting the SM2 cryptographic compliance and post-quantum cryptography migration needs.

  Pure PQC Algorithm: Once PQC algorithm SSL certificates are fully supported by CAs and browsers, PQC algorithm SSL certificate management capabilities and pure PQC algorithm HTTPS encryption capabilities can be seamlessly added through free system upgrades.

  Traditional SM2/ECC/RSA algorithms: Not only do they support hybrid PQC algorithms, but they also prioritize the use of the SM2 algorithm for browsers that do not support the PQC algorithm, while being compatible with the RSA/ECC algorithm for other browsers that do not support the PQC algorithm and/or SM2 algorithm.

  Public and Intranet SSL Certificates: Not only does it support automatic management of publicly trusted SSL certificates, but it can also automatically manage intranet SSL certificates (bound to private IP addresses), achieving unified management and a unified security baseline for internal and external network business systems.

• (3) Beyond CLM, integrating WAF and unified management capabilities

  ZoTrus ACLM Gateway goes beyond the scope of traditional CLM, deeply integrating the following security protection capabilities that critical information infrastructure operator must possess:

  Integrated WAF protection: While providing HTTPS encryption, it performs real-time application-layer security detection and protection on decrypted HTTP traffic, defending against common web threats such as SQL injection, XSS, and CC attacks. It achieves two goals at once and completely solves the problem that the traditional WAF devices deployed by users do not support certificate automation.

  Clustered and unified management: Through a central management platform, hundreds or thousands of distributed servers, gateway devices and load balancers can be managed uniformly, along with the certificate status of all websites served by these devices, and cloud CDN/WAF services. This achieves the most secure "one site, one key, one certificate" deployment management, completely eliminating the insecure deployment method of traditional manual certificate management where a single wildcard certificate and a single private key are shared everywhere.

  Full lifecycle visualization: Provides a cockpit-style visualization dashboard that displays a global map of certificate assets, expiration heatmap, compliance status, and algorithm distribution, and provides alerts, reports, and audit logs.

• (4) Flexible deployment and service models

  ZoTrus ACLM Gateway can not only serve as a standalone SSL gateway to replace traditional SSL gateways and WAF devices that do not support certificate automation, but also provide dual-algorithm SSL certificate automation management services for existing devices. It supports CLM services not only for local devices but also for cloud-based web applications located outside the local data center.

  Standalone gateway mode: Directly acts as a front-end gateway for web servers, providing HTTPS acceleration and offloading, automatic dual-certificate management, and WAF protection.

  Certificate management platform mode: Provides unified certificate provisioning and update services for existing network architectures (such as load balancers, web clusters) or CDN/WAF cloud services without changing the existing network topology.

  Hybrid cloud support: Supports deployment in physical data centers, private clouds, and public clouds; plug-and-play functionality; unified management of web service nodes and edge gateways; adaptable to complex hybrid IT architectures.

3. Functional Modules and Management Interface

In addition to the 12 functional modules provided by ZoTrus HTTTPS Automation Gateway, the ZoTrus ACLM Gateway mainly offers the following 12 certificate management functional modules:

• 1

  Domain Management

  Users can manually enter or import the domain names they need to manage in batches. The system will automatically discover that the domain name, including its subdomains, has already applied for all valid SSL certificates. It can also purchase ACME services for each website, and of course, traditional manual certificate application is also supported.
• 2

  Order Management

  It can manage each order from users using the free SM2 ACME service and the paid ACME service, and can also manage SSL certificate orders manually applied for by users.
• 3

  Certificate Management

  Displays all discovered issued RSA/ECC/SM2 SSL certificates and their detailed information, including current certificate status (valid, expired, revoked), remaining days, delivery status (delivered/not delivered), PQC readiness, and deployment device information.
• 4

  Equipment Management

  Displays information about all devices that have deployed SSL certificates, such as: device type, device name, public IP address, private IP address, device location, number of websites running, number of certificates deployed, ACME support, administrator information, etc.
• 5

  PQC readiness

  This feature displays whether the managed websites with deployed certificates support either of the two hybrid PQC algorithms: X25519MLKEM768 or SM2MLKEM768. If supported, it displays "Ready." This allows users to monitor the organization's PQC migration status in real time.
• 6

  Org Management

  The organization information management feature can manage all organizations within the group. organizations that have completed identity validation have their names grayed out and cannot be modified. It displays the number of domains, certificates, and websites delivered under each organization's name.
• 7

  User Management

  This manages users, categorizing them into administrators, operations and maintenances, and auditors, and displays their contact information and system access permissions.
• 8

  Report Management

  It can automatically generate weekly, monthly, and annual reports and display detailed report information, including: time period, number of valid SM2 certificates, number of valid RSA/ECC certificates, certificates about to expire, number of certificates issued by each CA, number of DV/OV/EV certificates, number of domain names, number of websites, and number of websites deployed on different devices.
• 9

  Issuance Root Management

  Manage the root CA certificates and intermediate root certificates for issuing RSA/ECC SSL certificates and SM2 SSL certificates; manage two ZT Browser trusted intranet intermediate root certificates and two ZT Browser not-trusted self-signed intranet intermediate root certificates customized for users; and count how many certificates have been issued by these intermediate root certificates.
• 10

  Integrated API Management

  Manage the tokens and secure keys of devices accessing the API, and set the allowed IP addresses and domains for certificate applications. Configure the tokens and secure keys for the CDN service provider's API to enable ACME certificate services for CDN service.
• 11

  Log Management

  List all operation and runtime logs for security auditing purposes. This includes user login records, certificate order records, successful certificate renewal records, records of unsuccessful scheduled renewals (with email notifications), and successful API access records.
• 12

  System Settings

  This includes various parameter settings required for system-level management, such as notification template settings, notification method settings, system access control, and password policies.

ZoTrus ACLM system provides a cockpit-style visual dashboard, displaying a global map of certificate assets, an expiration heatmap, compliance status, and algorithm distribution, along with alerts, reports, and audit logs. In particular, a PQC-ready 2D chart visually shows the percentage of all websites in the organization that have completed quantum cryptography migration. There is also a SM2-ready 2D chart visually shows the percentage of all websites in the organization that have completed SM2 cryptographic upgrades.

4. Performance and Deployment

ZoTrus ACLM Gateway comes in two different specifications: one provides only ACLM services, and the other provides both ACLM and ACME gateway services. The former has four built-in intermediate root keys for intranet SSL certificate issuance, enabling automatic intranet SSL certificate management. The latter, while also providing automatic intranet SSL certificate management, does not support customized intranet SSL intermediate roots; intranet SSL certificates are issued from ZoTrus public intranet SSL intermediate root keys. The latter's CPUs are available in Intel and Hygon, each supporting either 100 or 255 websites.

The performance parameters of various models are shown in the table below. For users with different requirements, products can be customized to meet their needs.

For ACLM Gateway that only provides ACLM functions (model MG-1-5), a public IP address is not required; it only needs internet access and a connection to the intranet. For ACLM Gateway that also provides ACME functions (models MG-8-5 and MG-9-5), it deploys in front of the Web servers same as other types of ZoTrus HTTPS Automation Gateway.

If it is inconvenient to deploy ZoTrus ACLM gateway hardware device, customers can choose to deploy the ZoTrus ACLM system on their own data center servers or containers, achieving the same ACLM functionality as the ZoTrus ACLM Gateway (MG-1-5).

5. ZoTrus ACLM Gateway – The Inevitable Path to Comprehensive Security Protection

ZoTrus ACLM Gateway integrates CLM with cryptographic acceleration, security protection, and unified management capabilities into a dedicated security hardware platform. This not only completely solves the operational challenges of automatic certificate management but also provides a one-stop solution for three critical protection tasks urgently needed by critical information infrastructure operators: SM2 cryptographic transformation, post-quantum cryptography migration, and HTTPS traffic security protection. Upgrading the security protection system is no longer about single-point reinforcement but a complete architectural reshaping of overall security capabilities. ZoTrus ACLM Gateway creates a robust yet intelligent security foundation for the digital businesses of large and medium-sized organizations, capable of addressing current needs while remaining future-proof.

For large and medium-sized organizations with multiple websites, systems, devices, and cloud services, the need is not just for ACME, but for unified management and scheduling of ACME – namely, ACLM. ACME solves the "how to do it" problem, while ACLM solves the "how to manage it well" problem. An excellent ACLM solution can integrate all ACME services into a unified view, orchestrate manually applied certificates with automatically applied certificates, seamlessly integrate support for RSA/ECC and SM2 algorithms, support the mixed application and seamless migration of traditional and post-quantum cryptographic algorithms, and present the certificate lifecycle status to administrators in real time in the form of reports and alerts. ACLM is the ultimate solution for automatic certificate management. ZoTrus ACLM Gateway makes the passive management of SSL certificates into proactively and automatically build a cryptographically agile digital trust infrastructure.