# Migration to emCA (Private PKI) Organizations migrate to **emCA** when they need to modernize or consolidate their private PKI infrastructure. This may involve replacing legacy CAs, restructuring trust hierarchies, or introducing centralized governance across business units. ### Common Migration Drivers • Legacy CA infrastructure nearing end-of-life\ • Multiple decentralized private CAs without unified governance\ • Inconsistent certificate templates and policies\ • Manual issuance and renewal processes\ • Compliance requirements for key management and audit logging\ • Need for integration with automated provisioning workflows ### Typical emCA Migration Scenarios #### 1. Legacy Microsoft AD CS to emCA Organizations running AD CS may migrate to emCA to achieve: • Better lifecycle automation\ • Multi-tenant or multi-environment segregation\ • API-driven certificate issuance\ • Advanced reporting and audit capabilities **Migration Steps:** • Discover all certificates issued by AD CS using CERTInext Discovery\ • Identify active templates and key usage policies\ • Define equivalent certificate profiles in emCA\ • Configure emCA Connector in CERTInext\ • Reissue certificates during renewal cycles under emCA\ • Gradually retire legacy CA infrastructure This phased renewal approach avoids mass certificate replacement. #### 2. Consolidation of Multiple Private CAs Large enterprises may operate multiple CAs across: • Different regions\ • Separate subsidiaries\ • Business units\ • Development vs Production environments Migration Objective: • Build a centralized Root and Intermediate hierarchy in emCA\ • Standardize policies across the organization\ • Maintain trust continuity Migration Approach: • Map existing trust chains\ • Recreate issuing CA structure within emCA\ • Reissue intermediate certificates where required\ • Align certificate validity periods and cryptographic strength\ • Implement centralized governance through CERTInext #### 3. Key Security Upgrade Migration Organizations upgrading from: • SHA-1 to SHA-256\ • 2048-bit RSA to 3072/4096-bit RSA\ • RSA to ECC Can use emCA migration as a cryptographic modernization initiative. Process: • Define new certificate templates\ • Configure updated key profiles\ • Perform phased rekey + reissue\ • Enforce compliance through policy controls ### emCA Migration Methodology #### Phase 1 – Assessment • Full certificate discovery\ • Template and key algorithm analysis\ • Trust chain mapping\ • Expiry and renewal risk evaluation #### Phase 2 – Design • Define Root and Intermediate hierarchy\ • Create certificate profiles\ • Configure issuance policies\ • Establish CRL/OCSP endpoints #### Phase 3 – Implementation • Configure emCA Connector\ • Test issuance and renewal\ • Validate provisioning automation\ • Run pilot migration #### Phase 4 – Controlled Rollout • Migrate certificates during renewal windows\ • Monitor validation and trust continuity\ • Decommission legacy CA gradually #### Phase 5 – Optimization • Enable automated renewal scheduling\ • Implement vulnerability scanning\ • Enforce key rotation policies ### Key Migration Considerations • Trust chain continuity\ • Cross-signing if required\ • Application compatibility\ • HSM key storage alignment\ • Revocation infrastructure readiness\ • Compliance logging --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.certinext.io/documentation/migration-scenarios/migration-to-emca-private-pki.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.