March 9, 2021

Blog postEJBCA EnterprisePKI migration

Consolidation leading to a future-proof PKI

PKI Migration

A typical enterprise PKI grows over time, with shifts in business needs and added use cases. The result is often a heterogeneous environment with inconsistent security policies, where the costs associated with maintaining security and administration grows. Moreover, older PKI solutions may have limitations for the business model or functionally that make them unfit to support current needs and regulatory requirements. At PrimeKey, we see the need for PKI migration and consolidation happening more and more with our customers, as old and new use cases get digitalized. However, the stakes can be high when migrating or consolidating an enterprise PKI. It is imperative that current solutions enabled by existing certificate services continue working with limited interruption, that the migration project manage existing interfaces and integrations to external systems, and that the robustness of the infrastructure is maintained – or improved – with the migration.

Roman Cinkais, founder and CEO at our partner 3Key Company, explains in this guest blog post how they believe that consolidation may lead to a future-proof PKI. 3Key Company has developed a PKI maturity model that is used to assess the current situation and for planning ahead. Roman also talks about two main approaches when doing a migration and gives you the key to a successful migration in 5 general steps.

Building and operating a public key infrastructure is a long-term commitment. Many of us working in this specific area of information security and trust understand the importance of processes and procedures of establishing the certification authority with all related services. However, the reality is usually different. People tend to quickly build the PKI when needed, only planning short-term for the situation at hand and forgetting about the long-term use case and architecture. After a time, they often find that there is a need to change their PKI set up. Whether they need to support multiple use cases, provide a validation interface, or simply outsource the solution due to lack of knowledge or personnel. Typical reasons to start thinking about changing your PKI solution:

  • insufficient initial planning leading to non-compliant setup
  • lack of knowledge during building of the infrastructure, which cannot be reverted
  • technology is advancing, need to support new interfaces and features
  • technology can be deprecated
  • price factors, like license model change of the technology or service
  • ease of operation and administration
  • different lifecycle and end of support of PKI components (usually less than the validity of certification authorities)
  • avoidance of vendor-lock

All of that leads to one question: Do I have a good PKI? How do I know that? What changes are needed? How do I achieve it? If you are asking these questions, you are on the way to assess your PKI environment maturity and prepare a migration plan to consolidate certification authorities.

Prepare for consolidation with PKI maturity assessment

3Key Company has developed a PKI maturity model that can be adopted by companies in order to understand the current level of capabilities and performance of their PKI. PKI maturity assessment helps to get the overall idea about the state of your PKI, and what should be done in order to improve the trusted services provided by the PKI. It also serves as a basis for maturity comparison with other organizations. The maturity model consists of several categories which are directly associated with the PKI and covers all aspects and activities (people, processes, technology). Based on the maturity model parts, the overall maturity level is determined as a single value representing the current state of capabilities and performance.


Maturity level Short description
Initial Unpredictable process with poor control and always reactive
Basic Process is characterized by each particular case or project and controls are often reactive
Advanced Process is characterized by organizational standards and controls are proactive
Managed Processes are measured and controlled; a proactive approach is taken
Optimized Continuous improvement of the processes and procedures, proactive approach for future technology improvement


To find your maturity level is the first step in the PKI consolidation. Based on the results from the PKI maturity assessment, you can plan desired changes and migration.

Migration to achieve the consolidation of the PKI

Migration can be a complex process that requires in-depth knowledge of PKI and careful planning. In most cases, we are working with a critical infrastructure that contains sensitive data such as cryptographic keys. The migration process is, therefore, an important step, but it is also often demanded. Due to the complexity and different technologies, the whole migration process typically takes 1-2 years and requires the cooperation of different teams. New technologies and processes entail additional costs, so the sooner the migration process is completed, the more costs you save. 5 general steps to successful migration:

  1. Perform a test migration to validate the process and identify possible issues such as non-supported certificate contents, non-compliances and non-exportable materials.
  2. Setup the infrastructure. It includes the installation and configuration of the solution, configuration of HSMs, and other technology specific attributes.
  3. Migrate cryptographic keys and certification authorities. Revocation information should be also transferred for each service.
  4. Migrate certificates. As the old and new infrastructure will be running in parallel, delta migration process should be adopted until the old infrastructure is decommissioned.
  5. Post configuration and validation.

There are 2 different approaches to perform the migration and you should decide which is right for you before the migration process:

  • Certificate migration
    • Building a completely new PKI, with new certification authorities and private keys, which needs to establish a new trust
    • New certificates are issued from new PKI, and their older version is revoked and decommissioned on old PKI


Certificate migration


  • PKI migration
    • Keeping the PKI, with the current certification authorities and private keys
    • Migrating to consolidated technology


PKI migration


Have you come to a situation where business objectives or security considerations are at stake due to heterogeneous and hard-to-maintain PKI infrastructures? If so, then now is the time to take control and to realize that building and operating a public key infrastructure is a long-term commitment, and to understand the importance of processes and procedures for establishing the trusted certification authorities for your services today and tomorrow.  There are many oversimplified migration guides, that are simple next-next-finish that are extremely misleading. Any serious PKI migration or consolidation project needs careful planning and expertise whether it is to a new on-premises solution or to a managed service.   

Migrating from Microsoft Active Directory services

In an upcoming blog post, we will look into how a migration from Microsoft Active Directory Services to PrimeKey EJBCA could be planned and executed.

Stay tuned! Learn more about 3Key Company, a PrimeKey partner: 3Key Company website

For more information: Read more about PKI Migration