CA Migration to AVX Native PKI

CA migration to AVX PKI provides a guided, resumable, and structured migration experience for organizations transitioning their Certificate Authorities to AppViewX Native PKI (PQC-ready). It serves as a dedicated entry point for all CA migration workflows whether migrating from AppViewX Standard CA (GCP-backed) or Microsoft Certificate Authority (MSCA/ADCS) displaying migration options based on customer type and enforcing a single active migration at a time.

The migration enables organizations to adopt a more secure, modern platform that is Post-Quantum Cryptography (PQC) ready and aligned with evolving security and compliance requirements, ensuring that all certificate enrollment is routed through the AppViewX Enrollment Server with no client-side changes required. For ADCS migrations, the process includes pre-validation and permission checks, discovery of active MSCA instances, CA mapping, and creation of equivalent certificate templates in AppViewX, with key attributes such as EKU and KU preserved. The entire workflow features real-time progress tracking, validation checkpoints, and rollback guidance, with a step-by-step interface that allows users to resume from the last completed step.

Important: Only authorized users can perform migration operations. Unauthorized users cannot view the page, access the menu item, or perform any migration actions.

Prerequisite

Before starting the migration, ensure the following prerequisites are met:

CA policy must have only issuer-based configuration.
RBAC configuration for PKI must be reconfigured.
There must be no custodian or CA in the in-progress state.
For on-premise deployments, the required settings must be configured. See Settings.
You must have the CA Migration ACF permission assigned to your role.

Navigate to CA Migration

Note: This is visible only to users with the CA Migration ACF permission.

To navigate the CA Migration page:

Go to Menu, select PKI.
Select CA Migration.
The CA Migration page is displayed.
Select the migration type based on your source CA.
- Migrating from AVX Standard CA to AVX Native CA, see Migrating from AVX Standard CA to AVX Native CA.
- Migrating from MS ADCS to AVX Native CA, see Migrating from MS ADCS to AVX Native CA.
Follow the step-by-step migration wizard to complete the migration.
The wizard supports resuming from the last completed step if the migration is interrupted.

ACF Permissions Required

Access to CA Migration is controlled by a dedicated Access Control Feature (ACF). The following table describes what each permission level allows.


Permission	Description
View	Users can view and access the CA Migration page.
Add/Modify	Users can start, resume, and manage CA migration workflows. Note: Enabling CA Migration Add/Modify permissions also automatically enables Resource Add/Modify permissions.

Note: To enable ACF permissions for CA Migration, go to Platform > Identity > Role > Authorized Functions under All functions expand PKI > CA Migration (ACF Settings) and select the required permissions. For more information on creating roles, click here.