This plan sounds good. I would probably start with a module to provide an API that would talk to a DB. Then you can write a CLI to hit the API, and a web app later on to also hit the API, if you want to dress it up and make it available more widely. A cron job could run daily that would also hit your API, making updates on any certificate changes that might have occurred. These updates would also get logged to the database (by the API).

I hit on an approach that's worked quite well for me -- I wrote a bunch of Perl scripts to hit APIs and do DB updates, and I use the presence or absence of a command line argument to determine whether this a debug run ("Here's the update I would have made ..") or a production run ("Making the following update .. OK"). This gives you a chance to do everything except actually make the change so that you can do proper testing. This is a way of giving yourself a sandbox environment when one doesn't exist. (I gave a Lightning Talk about this at TPRC a while back.)

Good luck, and happy development.