Whether it is to change Certificate Authority or Public Key Infrastructure technology, migrating your certificates is a complex process that needs to be carefully planned. It is imperative that your applications using certificates continue to function without interruption and that your data is protected throughout the migration.
To simplify your PKI deployment project, using a CLM solution makes all the difference. In this article, we will explain the 3 steps to follow to migrate a PKI and why CLM is essential.
STEP 1: Make a complete inventory of your certificate installed base: the basis for a successful migration
Taking stock of your information system is an obligatory step in order to successfully complete your project. It allows you to:
– Have all your certificates in a single inventory,
– Know all the types of certificates used,
– Know where they are deployed,
– Prepare for change.
Without this inventory, certificates will be overlooked, certificate templates not provided and new certificates will not be deployed everywhere.
If you do not have CLM, you will need to consult with all teams involved in the management and use of digital certificates to find out about your entire installed base as well as your existing PKI. A step that is very long, costly and will produce an erroneous result because it is incomplete.
However, if you are equipped with CLM, you will have an accurate and complete inventory, updated in real time through a simple, accessible and user-friendly web interface.
STEP 2: Evaluate the best technology
In case of change of PKI software, thanks to this complete inventory, you will have all the technical elements necessary to choose the best solution in your context.
In addition, thanks to CLM, the requirements for the PKI software solution will be reduced because part of the PKI functions are taken care of in the CLM. This reduces the cost of acquiring the PKI solution and eliminates the costs associated with change management for your users.
Step 3: Proceed with the migration
Once you have chosen the new PKI and created your new hierarchy, you can migrate your certificates to it. To do this we proceed in 2 phases:
1. Switch new requests to the new process
Using CLM, this is simply a configuration change. Without a solution, you will have to train your users on the new certificate request and revocation processes on your new PKI with the associated human costs.
2. Renew old certificates on the new hierarchy
You have two possible strategies, renew at maturity or before maturity:
- When you renew at maturity, you will need to maintain two PKI systems for several years, including allowing revocations on the old PKI.
Without a CLM solution, users will have to use both PKI systems depending on the certificate to be managed. With CLM, this complexity is masked by the use of a unified management interface.
- When you renew early, without a CLM solution, it will take several months to migrate your installed base. In contrast, with CLM, the migration is completed in a few days, setting up operations every night.
A solution such as BerryCert, brings you a gain of time and efficiency at each step of your PKI migration project and considerably reduces the deployment cost.