Migrating from MS ADCS to AVX Native CA

The ADCS Migration utility provides a guided and structured workflow to migrate Microsoft Certificate Authority (MSCA/ADCS) configurations to AppViewX Native PKI . The process begins with pre-validation and permission checks, followed by discovery of active MSCA instances. Administrators can then select a source CA and map it to a corresponding AppViewX PKI CA. The system retrieves AD-published certificate templates, extracts key attributes such as EKU and KU, and creates equivalent templates in AppViewX. The entire workflow is designed to be secure, auditable, and resilient, with clear progress tracking, validation checkpoints, and rollback guidance.
Note: Migrating from MS ADCS to AppViewX Native CA is not supported in a Managed Kubernetes environment. To perform this migration, use an AppViewX deployment that is not running in Managed Kubernetes.

Network Prerequisite: Communication

Port Protocol Direction From To Purpose
135 TCP Inbound/ Outbound Autoenrollment Server Machine All Windows machines in the domain RPC Endpoint Mapper
49152–65535 TCP Inbound/ Outbound Autoenrollment Server Machine All Windows machines in the domain RPC Dynamic Ports
30020 / 31443 / Custom LB Port TCP Outbound Autoenrollment Server Machine CC / AppViewX / Load Balancer Communication with AppViewX
3268 / Custom Global Catalog Port TCP Inbound CC / AppViewX Active Directory (AD) Fetch SAN / Certificate details

Migration Overview

Migrate the existing Certificate Authority (CA) to AppViewX Native PKI without impacting other applications or endpoints. This guided flow helps to create parallel AppViewX CA, route enrollment seamlessly, and complete the migration with full visibility and control.

To start the migration,

  1. Go to Menu > PKI > CA Migration.
    The Migration Overview page is displayed.
  2. Select MSCA (ADCS).
    Note: This option is currently enabled only for migration of MSCA (ADCS). The AppViewX Standard CA and EJBCA options are disabled.
  3. Click Continue.

Download Windows Gateway

Windows Gateway acts as a secure communication bridge between AppViewX and Windows endpoints. As part of the guided migration process, first download and deploy the Windows Gateway. Provide the required configuration details to download the package, including the target datacenter, Windows hostname (FQDN), client certificate (PFX/P12), and the authentication method or credentials configured in AppViewX. Follow the steps below.
Note: Enterprise Admin and Domain Admin permissions are required to proceed with the migration.

Steps:

  1. Click Download Gateway to download the windows gateway package to the local machine. (Download and install the package before validating the connection.)
  2. Enter the fields as follows:
    Fields Description
    Gateway Setup
    Migration Name Enter a user-friendly name (maximum16-characters) to identify the migration. This name will be used in the WAEP agent configuration and template creating within AppViewX. :
    Note:
    • The migration name specified here will be used as a suffix when creating the AppViewX equivalent Template
    • The new WAEP agent settings will also be created with the same migration name.
    Server Configuration
    *Select Data Center Select the desired data centre to establish the connection.
    *Hostname Enter the hostname or FQDN where the Windows Gateway will be installed. Provide a fully qualified domain name only.
    *Port Enter the port number from which the Windows Gateway service listens. Default port is 8999, but a custom port can be provided if needed.
    Authentication Credentials
    *Authentication Select the authentication type to access the windows gateway machine:
    • Manual
    • Credential List - Appviewx
    *Username This field is enabled when the Authentication = Manual.

    Enter the username of the Windows Gateway machine.
    *Password This field is enabled when the Authentication = Manual.

    Enter the password of the Windows Gateway machine.
    *Credential List This field is enabled when the Authentication = Credential List

    Select the desired preconfigured credential list from the available options.
    Certificate Configuration
    Client Authentication Certificate Upload the client authentication certificate that is used to authenticate with the Windows Gateway endpoint.

    Click Upload to select the certificate. Only .p12 or .pfx certificates are allowed.

    You will be prompted to Enter Password for the certificate in the Authentication Details popup.

    Note: (Optional) Click Remove Certificates to change the uploaded certificate. This option is displayed above the Save Configuration button only after the certificate is uploaded.
    *: Mandatory fields
  3. Click Update and Validate.
    A connection established message is displayed if the Widows Gateway is found to be up and running. Then Continue button is enabled.
  4. Click Continue.
    The Validate Environment screen is displayed.

Validate Environment

The migration utility performs an extensive pre-requisite validation. This step ensures the following:

(A) Active Directory / MSCA Side

The system verifies that the user running the utility has the required permissions to:

  • Fetch Active Directory details (name or IP address)
  • Confirm that the logged-in user has Enterprise Admin privileges
  • Validate connectivity from the Windows Gateway to Active Directory over ports 88 and 389

(B) AppViewX PKI Side

The system verifies that the migration utility has:

  • Permission to create new templates
  • Permission to read and validate CA configurations

If any required permission is missing, the system blocks the migration and displays clear, actionable error messages indicating the missing permission and the steps to resolve it (e.g., updating AD group membership or assigning roles in AppViewX).

The system allows migration to proceed only after successful validation.

The following validation checks are displayed in the UI with status either as Granted or Failed.

Environment validation

  • Retrieve domain name, domain controller, and network details from Active Directory
  • Verify network connectivity to domain controller on port 88 (Kerberos) and port 389 (LDAP)
  • Verify membership in Domain Admins security group for domain-level management operations
  • Verify membership in Enterprise Admins security group for forest-level Certificate Authority operations

AppViewX Validation

  • Create, modify, and manage Certificate Authorities in PKI-as-a-Service
  • Download AppViewX Enrollment Server
  • Create and manage service accounts for automation and integration
  • Create and manage PKI certificate templates for automated enrolment
  • Configure LDAP and Active Directory authentication settings
  • Configure and manage Windows Auto-Enrollment Protocol agent settings
  • View and access cloud connector configurations (only for SaaS – Cloud Connector)

Steps:

After all the validation checks are successfully completed, click Continue.
The Map Auto-enrollment CA page is displayed.

Map Auto-enrollment CAs

In this section, users can
  • Choose the Migration Strategy
  • Perform the CA Selection
  • Map and Migrate CAs

Migration Strategy

The user must select one of the two available migration strategies to proceed; the system allows only one selection at a time and blocks further steps until a strategy is chosen. The migration strategy cannot be changed until migration is completed.
  • Option 1 - Migrate Root CA to AppViewX - Full CA hierarchy migration. The selected Root CA and the subordinate CA are recreated in the AppViewX PKI.
    1. Recreates the Root CA in AppViewX PKI.
    2. Migrates all Subordinate CAs together.
    3. Selectively migrates Subordinate CAs; the system does not migrate unselected CAs.
  • Option 2 - Keep Root CA in ADCS and Migrate Subordinate CAs - Migrate only selected Subordinate CAs.
    1. Root CA remains in Microsoft.
    2. Migrates all selected Subordinate CAs together.
    3. AppViewX PKI acts as the Issuing CA only.

Steps:

Select Migrate Root CA to AppViewX or Keep Root CA as Microsoft.

CA Selection

This process allows selections of CAs for migration, it includes:
  • CA Discovery
    • Automatically initiates CA discovery after selecting a migration strategy.
    • Discovers all Root CAs in the current AD domain and forest.
    • Discovers all Subordinate CAs under each Root CA.

Steps:

  1. If you selected Migrate Root CA to AppViewX in the CA Selection screen,thenselect the appropriate Root CA and Subordinate CAs.
    OR

    If you selected Migrate Root CA to AppViewX in the CA Selection screen,thenselect the Subordinate CAs.

  2. Click Continue.
    The Map and Migrate page is displayed.

Map and Migrate

This step is used to map Microsoft CAs to the AppViewX PKI CA that will issue certificates. On the mapping screen, each ADCS CA (Root or Subordinate) is displayed as a source CA. Against each source CA, a dropdown is presented containing:
  • Existing AppViewX PKI CAs of the appropriate type (Root or Subordinate), or
  • An option to Create New PKI CA if no suitable CA exists.

Selecting Create New PKI CA redirects the user to the Create AppViewX PKI CA page and, once completed, returns the user to the mapping flow with the newly created CA available for selection.

For existing ADCS Root and Sub CAs, only AppViewX PKI Root CAs and AppViewX PKI Subordinate CAs are shown respectively. When migrating Root and Subordinate CAs together the hierarchical awareness is maintained on the UI—Once Root CA is mapped, existing Sub CAs under that AppViewX Root are shown preferentially. Subordinate CA mapping respects the selected Root CA hierarchy.

Steps:

  1. Select the appropriate AppViewX PKI Root CA and Subordinate CA from the dropdown on the right side of the page for the corresponding Microsoft CAs on the left.
  2. (Optional) If there are no AppViewX PKI CAs displayed in the dropdown, then click Create New PKI CAand add the CA details.
    Note: After creating the CA, go back to the Map & Migrate page and click the ‘Refresh’ icon next to the dropdown field to display the newly created CA in it.
  3. Click Continue.
    The Review Template page is displayed.

Review Templates

After successfully mapping the Microsoft Certificate Authorities to AppViewX Native PKI CAs, template duplication, and discovery of certificate templates published in Active Directory is initiated. Every template is cloned in the domain with the prefix AVX_PKI and the new templates are discovered from the AD. Additionally, the discovery is CA agnostic, meaning it avoids restricting to templates bound to a specific CA.

During discovery, the templates marked for auto-enrollment are detected and are badged for easy identification. After retrieval, a consolidated list of templates is displayed with the following attributes:

  • Name (MS template name prefixed with AVX_PKI)
  • OID (Object Identifier)
  • (Certificate) Validity Period
  • Renewal Period
  • Key Length
  • EKU (Extended Key Usage)

Users are allowed to choose one or more templates from the list for subsequent migration steps.

Steps:

  1. Select one or more templates.
  2. Click Continue.
    The Configure Template page is displayed.

Configure Templates

After the templates are selected, in the next stage a new certificate group must be created for the selected template. Corresponding equivalent AppViewX PKI certificate templates are then created for the selected AD templates. During creation, each AppViewX template is temporarily mapped to a default issuer CA to ensure complete configuration. The issuer is mapped based on the template permissions in AD.
Note: CA templates are not created by default. To create one, go to PKI > Templates > Create Template.

After creation, a summary view is displayed with the following details:

  • Source MS AD Template
  • Corresponding AppViewX Template (suffixed with the Migration name)
  • Issuer Name
  • Certificate Group

An Edit option is provided for each template, allowing users to modify the issuer and/or certificate group before proceeding with the migration.

Steps:

  1. In the Map AD published templates with AVX templates screen, click Create Certificate Group.
    The Create Certificate Group pop-up is displayed.
  2. In the Create Certificate Group pop-up, enter the usergroup name and click Save.
    The next screen will have the Create All Equivalents button.
  3. Click Create All Equivalents.
    A summary view is displayed with the following details:
    • MS Template
    • AppViewX Template (suffixed with the Migration name)
    • Issuer Name
    • Certificate Group
    • Action (Edit option)
  4. (Optional) If the issuer name is blank or to change the issuer name and certificate group, click the edit option in the Action column.
    The Modify Template page is displayed on the right.
  5. (Optional) From the Modify Template page, update the Certificate Group, Issuer Name, or AppViewX Template and click Save Changes.
  6. Click Continue.
    The Configure WAEP screen is displayed.

Configure WAEP

After creating and mapping equivalent certificate templates in AppViewX PKI, the system guides the user to configure and activate WAEP to enable endpoint communication for certificate auto-enrollment. The user defines an Agent Settings Name and selects a datacenter, upon which LDAP details are auto-populated. The user then provides service account credentials and performs a Test Connection to validate connectivity and configuration before proceeding.
  1. In the Configure WAEP screen, enter the details as follows:
    Fields Description
    Endpoint Details
    *Name The name field is read only and auto-populated by default with the Migration name set in the Download Windows Gateway stage.
    *IP/FQDN The dropdown list field contains a list of FQDN's from the stored data. Users can choose from the available values. The hostname format is <tenant>-aep.<domainname>.

    For Onprem the list is populated with the On-Prem node details. Select any one of the values.

    For SaaS the list is populated with the hostname of the Cloud Connector and AEP Gateway details.
    • Using On-premises CC
      • Without load balancer:It is the hostname of the cloud connector where the auto-enrollment gateway is running.
      • With load balancer: Manually enter the hostname of the cloud connector.
    • Using Direct Gateway: In the SaaS setup, to use the direct AEP gateway without installing the cloud connector, the FQDN/IP address will be the tenant URL with "-aep" before the domain name.
    *Port The port number is auto-populated based on the selected IP/FQDN value.
    If the IP/FQDN value is entered manually, then enter the appropriate port number.
    • HTTPS URL (always)
      • Onprem - 31443
      • SAAS - 30020
    *Datacenter Select the data center. The value is auto-populated based on the cloud connector.
    Global Catalog Configuration
    *LDAP URL List of LDAP/LDAPS configurations fetched from Platform.
    Configure LDAP Page A link below the LDAP URL field that redirects to Platform page to add the LDAP/LDAPS configurations.

    Refer to the section Configuring LDAP for WAEP for more details.
    Sync Fetches latest LDAP configuration data from Platform.
    *LDAP Base DN This field is displayed after selecting value in the LDAP URL field.

    If AD sync is enabled, the LDAP base DN is auto-populated based on the IP address of the global catalog server selected from the LDAP URL dropdown list.
    *: Mandatory fields
  2. Click Create WAEP agent.
    The new WEAP agent setting will be configured in the Auto-Enrollment: Windows AEP page (Go to Menu > CLM > Administration > Auto Enrollment > WAEP).

    The Setup Enrollment Server screen is displayed.

Setup Enrollment Server

After successful WAEP configuration and validation, the system progresses to the Enrollment Server setup stage.

Page 1: WAEP Details and Package Download
  • System Actions:
    • Displays the generated WAEP URL.
    • Provides option to download the AppViewX Enrollment Server package (with embedded WAEP URL).
  • During Download:
    • Creates a backend service account for installation and ongoing communication.
  • Post Download:
    • Displays setup instructions including:
      • Hostname, port, and agent details
      • Service account Client ID and Secret (to be added in the configuration file)
      • Once downloaded, refer Installing AppViewX Enrollment Server and perform the listed steps.
    • Prompts the user to start the service after completing setup.
Page 2: Installation and Configuration Confirmation
  • User Action:
    • Provides confirmation to execute a system-initiated configuration script
    • Follow the steps mentioned in Configuring Permissions for AppViewX to provide permissions for the auto enrolment server.
  • System Actions (Script Execution):
    • Registers CA as an Enrollment Service in Active Directory
    • Adds selected certificate templates to the CA
    • Publishes Root and Intermediate certificates as trusted certificates in the domain
  • Completion
    • System triggers script execution remotely on the target host
    • Validates each step for successful completion
    • On success, allows the user to proceed to the next validation stage

Steps:

  1. In the Setup Enrollment Server page, the first stage ——Download & prepare, the WAEP URL field is displayed and is read-only. Copy and save and URL for future reference.
  2. Click Download & prepare button.
    The AppViewX enrolment server zip file is downloaded successfully.
  3. Follow the installation instruction specified on the screen. Use the AppViewX enrolment server, client details and secret to complete the installation and start the service.
    Note:
    • The AppViewX enrolment server must be installed in the same machine where the Windows gateway was installed at the start of the migration journey.
    • After the dwnload is complete, refer to the section Installing AppView Enrollment Server to perform the installation.
  4. Click Continue.
    The Setup Enrollment Server page, second stage ——Install and run page is displayed with the set of instructions.
  5. Follow the steps mentioned in the Instructions to provide permissions for the Auto enrolment server. Additionally, refer to the section Configuring Permissions for AppViewX.
  6. Click the I approve AppViewX to install on the machine checkbox.
    The Run setup button is enabled.
  7. Click Run setup.
    The following script executions are performed at the backend:
    • Registering CA as an Enrollment Service in Active Directory
    • Adding selected certificate templates to the CA
    • Publishing Root and Intermediate certificates as trusted certificates in the domain
  8. Click Finish.