Main section

Cloud Certificate Lifecycle Management

A fully managed CLM platform, operated by SwissSign on Evertrust Horizon, under Swiss jurisdiction. You automate certificates; we run the platform.

  • No infrastructure to deploy or maintain - start with just one certificate

  • Dedicated, logically isolated tenant per customer

  • Data and certificates under Swiss jurisdiction

  • Customer-side agents and connectors to integrate internal systems

Automation and digital sovereignty for your PKI - ready to deploy! 

Discuss with Sales Try evaluation licence

For whom our Cloud CLM works best

You want a Swiss-hosted CLM platform for PKI automation

You primarily need public certificates (SSL/TLS, S/MIME)

Your don't need complex integrations for the CLM – or you want to start small

You want fast onboarding without standing up servers

Cloud CLM offering: Application-as-a-Service (AaaS)

 

  • SwissSign hosts and operates the platform; powered by innovative French PKI firm Evertrust's software Horizon

  • Multi-tenant cloud with a dedicated logical tenant per customer: isolated configuration, access control, workflows, integrations and logically segregated data storage

  • Access via a dedicated web endpoint or REST APIs

  • SwissSign handles backups, security updates, maintenance, feature releases and connector upgrades - you manage users, permissions, integrations, workflows and certificate policies

  • Scales with your needs – start with just one certificate, grow with your migration timeline

  • Optional non-production environments available on request for testing/validation

Note: The cloud service does not deploy within your own infrastructure, except for the agent used to automate your web servers, which runs in your environment. For a fully self-hosted deployment, read more about our on-premises model or use the deployment selector.

Automate now – start with our evaluation licence!

 

Manage your full PKI and integrate CLM into your infrastructure with maximum security and sovereignty.

Get in touch with our Sales team or try our CLM with our Evaluation Licence

  • Dedicated SwissSign-hosted tenant for our Cloud CLM (Evertrust Horizon)

  • 60 days, up to 20 certificates

  • 4 hours of Professional Services support, including a kick-off meeting

  • Convert to production seamlessly: if you sign within 30 days of expiry, the tenant is reused, no migration

Note: the evaluation does not include Private PKI.

Discuss with Sales Start evaluation

What is the feature set of the Cloud CLM

 

  • Certificate discovery: configurable campaigns (scheduled or on-demand); lightweight Windows/Linux agent for local and network scans; external platforms can feed certificate data via native integrations

  • Centralised inventory across discovered, monitored and managed certificates (any CA, any location) with per-certificate attributes (identity, crypto properties, validity, deployment context, ownership) and built-in grading

  • Full lifecycle management: request → enrolment → issuance → renewal → revocation → replacement → automated distribution, with certificate profiles and approval workflows (segregation of duties). Self-service enrolment via WebRA

  • Monitoring & alerting: expiry timelines, lifecycle events, anomalies, via email, webhooks or integrations

  • Compliance scoring & governance: policy-driven grading, structured audit trail, built-in reporting catalogue, granular RBAC

  • Integration & APIs: comprehensive REST APIs; webhooks and multi-step automation

  • Private PKI integration and add-on options: integrate self-operated private PKIs, or add a new dedicated private PKI instance operated by SwissSign when needed for replacement or new use cases

Critical security & compliance advantages

 

  • TLS for all customer↔platform traffic; data at rest encrypted (databases + backups)

  • Sensitive data (credentials, escrowed keys, auth secrets) protected by application-level encryption backed by an HSM-protected KMS operated by SwissSign

  • Controls: traffic filtering, rate limiting, WAF, vulnerability management, platform hardening, monitoring

  • Identity & access: OIDC, local auth, and X.509 client-certificate auth; federation with Microsoft Entra ID, Keycloak and other OIDC IdPs; SCIM v2 for group sync; granular RBAC

Built for regulated industries

SwissSign operates under Swiss jurisdiction with Swiss hosting and is well positioned for FINMA, DORA and NIS2 expectations as well as GDPR and nDSG

  • CA/Browser Forum
  • ISO/IEC 27001
  • EPDG - IdP
  • ZertES
  • eIDAS

What you're responsible for

We offer our Cloud CLM as an Application-as-a-Service for smaller or medium-sized organisations or teams with lean PKI set-ups. While we host and operate the platform, you will yourself manage

  • Users, permissions, integrations, workflows and certificate policies

  • Network connectivity (firewall, allowlisting, routing) and operating customer-side agents/connectors

  • Operational use of issued certificates and maintaining connected third-party systems

Discovery, issuance and deployment depend on the availability and compatibility of connected systems (CAs, cloud providers, IdPs, endpoints).

Ready to automate your certificates the easy way?

47-day certificates and post-quantum migration are coming fast, and manual renewals won't keep up. With our Cloud CLM, you get automation and Swiss-hosted sovereignty without standing up a single server. Start with a free evaluation tenant, or talk to our experts about the right set-up for your team.

Book a consultation today – and secure your digital infrastructure for tomorrow's challenges.

Discuss with Sales Try evaluation licence

Frequently Asked Questions

Under Swiss jurisdiction; SwissSign operates the platform.

Within a couple of days. Begin with a 60-day evaluation tenant; production conversion needs no migration if signed within 30 days of expiry.

Yes, you can integrate your existing PKI and continue to operate it yourself. Our CLM platform can be complemented by a flexible attractive private PKI option operated by SwissSign; not included in the evaluation licence) which can fully replace your existing private PKI.

Larger or heavily regulated/integrated estates are better served on-premises - consult our deployment selector.