One of the more recent trends I have seen at Keyfactor are clients coming to us looking for guidance on how to sunset their existing public key infrastructure (PKI) management suite for an improved solution. From mediocre support to outages in production, these clients often have operational hurdles with their existing PKI management vendors that are difficult to overcome. But while moving from one system to the next may seem like a daunting task, it should not be an excuse to tolerate anything less than a perfect solution for your organization.
I’ve observed this hesitation time and time again while consulting for a wide array of clients. We as practitioners know that PKI solutions are not trivial, and it is understandably difficult to budget for the unknown. But the reality is, there is not as much friction in the actual practice.
The step-by-step blueprint laid out below is designed to show migration simplicity. This will make it easier for you and your PKI team to present the plan to those from whom you need approvals and/or financial support.
Project Scope
All PKI management systems can be distilled down into three essential components:
- A database
- Data that populate the database
- Things that do important jobs outside the database
That’s it.
In PKI, as with anything else, DATA IS KING. And successful scalable solutions all stem from effective data management. The main questions that drive a migration to a new solution should be:
- How do I migrate all of my data?
- How does my existing infrastructure populate data?
- How do I enable parity with my existing solution (and surpass it)?
While delving into the intricate details of a PKI migration might make for some excellent bed-time reading, we’ll stick with the high level overviews for this blog. (If you really want to get into the weeds, open up that chat box at the bottom of this page to get a conversation started).
1. Migrate Data to a New PKI Management Solution
Q: How do I migrate all of my data?
A: With scripting and bulk operations.
We assist clients in leveraging APIs to perform bulk data migrations. While that sounds relatively straightforward, getting technical support from some of these third-party vendors is nearly impossible. As a personal anecdote, I remember being onsite with a large healthcare company during their migration. Their PKI team was so frustrated with their vendor’s lackluster API support efforts that they faked an outage in their prod environment … seriously.
Once the data is migrated from your existing solution, the remaining work includes performing bulk import jobs of digital certificates, private keys, and metadata to Keyfactor’s database.
Despite any API challenges, the work gets done and our clients are incredibly satisfied with the process and of course, end result.
2. Inventory and Manage Existing Certificates in the New PKI
Q: How does my existing infrastructure populate data?
A: With agents and gateways.
With these components deployed in your existing PKI infrastructure, you will be able to effectively inventory and manage certificates per your firm’s priorities. Another option would be to migrate to a Cloud-hosted solution. This would still allow the integration of your existing hardware while getting a new, squeaky-clean PKI in the cloud.
3. Create Parity from One PKI Solution to the Next
Q: How do I enable parity with my existing solution (and surpass it)?
A: By working with superior technology and the right people.
When deploying the Keyfactor suite in displacement of existing vendor software, we have accommodated various change-order and contractual timeline considerations. Based on the feedback we receive from clients who have made the switch, working with our people and systems enabled and surpassed their previous solutions. And the cost savings tend to just speak for themselves.
Once you get to this step, congratulations are in order! The hard part is over and you’re the hero. Now the fun task of optimizing your PKI operations and business successes can begin.