Understanding PKI Migration

Posted by Mike Hathaway on Jan 8, 2024 12:23:33 PM

Public key infrastructure (PKI) is a critical component of cybersecurity, providing the foundations for secure communication and authentication. As organisations evolve and IT environments change, PKI deployments can become outdated, inefficient, and no longer fit for purpose. This often necessitates a migration, a process that is understandably complex and time-consuming.


In this blog, Ascertia’s Chief Product Officer Mike Hathaway delves into the intricacies of PKI migration, including migration strategies, challenges to overcome and best practices.

Why migrate?

A PKI migration isn’t a simple undertaking. There are several compelling reasons an organisation my consider migrating its PKI infrastructure, including:

  • Going out of business
  • Discontinuing their product
  • Relationship breakdowns
  • Slow or lack of response
  • Lack of available functionality
  • Slow or no feature releases
  • Ease-of-use

If the vendor isn’t an issue, other reasons organisations may migrate include:

  • Enhanced security – Modern PKI solutions offer improved security features, such as stronger encryption algorithms and more robust key management practices.
  • Increased efficiency – Newer PKI models can automate many manual tasks, streamlining processes and reducing administrative burdens.
  • Improved scalability – When organisations need room to grow, their infrastructure needs to be able to scale with them. Cutting-edge PKI solutions can scale to support the growing demands of a growing business.
  • Reduced costs – Legacy systems can become costly. Migrating to a cloud-based PKI solution can lower hardware and maintenance costs.


Effective PKI migration

Planning and preparation are the cornerstone to the success of any PKI Migration initiative. Before you begin your migration, consider the following:

  • Define your goals and objectives – Clearly articulate the reason why you’re migrating and what you hope to achieve
  • Assess current PKI environment – Knowing where you are and where you want to be is crucial. Conduct a thorough inventory of existing certificates, servers, and policies.
  • Choose the right migration approach – There are several ways to migrate your PKI. It is essential to choose the one that works for your organisations, such as the lift-and-shift approach or a phased migration.
  • Establish your timeline and budget – The most crucial element of this is being realistic. Set an attainable timeline related to your approach and allocate the necessary resources for your migration project.
  • Effective communication – PKI migrations have several moving parts. Keep stakeholders informed throughout the migration project to ensure your hitting the goals and objectives they care about most.

PKI migration strategies

What type of migration strategy will work for your business? Organisations can implement PKI migrations using several methods. Consider the following scenario: Your organisation’s current PKI environment has flaws you wish to correct, but you want to minimise a migration’s impact on your organisation.

In this scenario, the following PKI migration strategies would be a good option.

Lift-and-shift strategy

This type of migration is often the simplest. It involves moving the existing PKI to a new environment with minimal changes. IT teams often use this approach when the existing PKI is relatively new and up-to-date, or when resources for a full-scale migration are limited.


Rehosting involves moving a PKI to a new environment but taking the time to make changes to the infrastructure to improve its performance or security. For example, an organisation may choose to rehost its PKI solution to the cloud, enabling them to take advantage of cloud-based security features.

While these two strategies are less complex, sometimes you just need to start from scratch. Sometimes you need a more comprehensive overhaul. If you have a large deployment where re-issuing certificates will be time-consuming or your existing PKI is no longer fit-for-purpose, the following PKI migration strategies would be a better option:

Technology Replacement

Often the most complex type of PKI migration, the technology replacement method involves completely replacing the existing PKI product while maintaining the existing cryptographic keys and certificates. Organisations often use this method when their existing PKI product is outdated or unsupported, or when their requirements have significantly changed. This approach is far less disruptive than doing a full PKI replacement, especially as building a new PKI requires you to distribute a new trust anchor to every endpoint.

Phased approach

Need a new PKI but want to limit the impact on your organisation? This is the ideal method. It involves building a new system and issuing new certificates as the old ones expire.

This approach is beneficial because there is no interruption to the chain of trust, and it is ideal for organisations that have large deployments.

PKI migration challenges

There will always be a few wrenches thrown into the mix when you’re making large infrastructure changes. Anticipating and adapting to them as they arise is the key to your success. Here are a few important things to consider when migrating your PKI infrastructure:

  • System audits cannot be migrated – you may need to export them for retention if required. For example, the HSM provider may not have the tools to edit P11 or key attributes that need to be there for your new vendor.
  • When starting from scratch, organisations must consider the time it takes to install Root and issue Certificate Authority (CA) certificates on all endpoints

PKI migrations can be challenging. Some of the hurdles you may face along the way include:

  • Compatibility issues: Ensure your existing systems and applications are compatible with the new PKI environment. Allow for time to implement new solutions if they aren’t.
  • Data integrity: Ensure the data chain of trust isn’t broken, protecting sensitive data throughout the migration process.
  • User training: Most errors are often caused by human intervention. Ensure all users of the new PKI environment are adequately trained to use the new system.
  • Change management: Ensure clear communication protocols are in place to manage the impact of the migration on your company’s operations.

Seamless PKI migrations with Ascertia

There is no right or wrong PKI migration approach. They are a complex undertaking for any organisation, but they are essential for maintaining security and efficient IT infrastructure. We are a digital identity and access management (IAM) provider offering several solutions to help organisations with their PKI migrations.

Ascertia’s ADSS Server is a modular trust services platform that has all the features needed to build a complete PKI. It is Common Criteria-certified using the latest protection profile for a Certification Authority. This means it has been independently evaluated, laboratory tested and certified that it meets the requirements laid out in the protection profile.

From planning and preparation to expert advice, guidance, tools, and services, we strive to make PKI migrations less of a headache for all involved and aim to address any potential risks or issues before they arise.

Is your organisation considering a PKI migration? Contact our team to discuss your business’s unique requirements.