Migrating from AVX Standard CA to AVX Native CA

CA Migration provides a guided, resumable process to transition from AppViewX Standard CA (GCP-hosted) to AppViewX Native CA (PQC-Ready). This migration enables organizations to adopt a more secure, modern platform that is Post-Quantum Cryptography (PQC), ready and aligned with evolving security and compliance requirements. The CA Migration utility in AppViewX PKIaaS also ensures that, after migration, all certificate enrollment is routed through the AppViewX Enrollment Server, with no client-side changes required.

You can initiate migration from the CA Inventory page by cloning an existing CA or creating a new one. The workflow includes configuration, custodian approval, and execution tracking, along with real-time status updates and the ability to resume if interrupted. This process enhances security, auditability, and operational visibility, ensuring a seamless transition with minimal disruption.

Ensure the following before starting the migration:
Prerequisite Requirement
User role Privileged user access is required. Only privileged users can initiate CA migration.
CA Account Name A unique CA Account Name. Duplicate names and empty values are not accepted.
Network access The system must be able to reach the PKI CA endpoint to verify connectivity during initialization.
Standard CA in inventory At least one Standard (GCP-backed) CA must exist in the CA Inventory.
Custodians Custodians must be available to approve the migration request (unless approval is not required by policy).

Migration Initiation Banner

The Migration Initiation Banner appears on the CA Inventory page for tenants using AppViewX Standard (GCP-backed) CA. It displays the current migration state and provides actions to start, resume, or manage the migration process.
Tip: Your migration progress and reminder preferences are saved across sessions. If you close your browser or log out, migration resumes from the last completed step.
Important: The banner is only visible to tenants with a Standard (GCP-backed) CA. It does not appear for tenants already using AppViewX Native CA.

The following table describes the available banner actions:

Action Description
Start migration Launches the migration wizard from the beginning.
Resume migration Reopens the migration wizard at the step where the previous session ended.
View Approval Status Opens the custodian approval tracking view for the pending CA creation request.
Remind Me Later Postpones the banner. Select 1 Day, 1 Week, 1 Month, or Never from the dropdown.
Dismiss (x) Closes the banner for the current session. The banner reappears on the next login.

Clicking Remind Me Later displays a dropdown with the following options:

Option Behavior
1 Day The banner is hidden and reappears after 24 hours.
1 Week The banner is hidden and reappears after 7 days.
1 Month The banner is hidden and reappears after 30 days.
Never The banner is permanently hidden for this user until an administrator resets the preference.
Important: Reminder preferences and migration progress persist across sessions. If you select Never, an administrator must reset the preference to make the banner visible again.

Upgrade popup

When a tenant has not yet started migration, an upgrade prompt may also appear as a modal popup over the CA Inventory page. The popup provides the same Start Migration and Remind Me Later options as the banner.
  1. Go to Menu > PKI+ > CA Inventory.
    The Migration Initiation Banner is displayed at the top of the page.
  2. Review the banner message to understand your current migration state.
  3. Click Start migration (if not yet started) or Resume migration (if already in progress).
    The migration wizard opens at the correct step for your current state.
  4. Follow the on-screen steps in the wizard to complete the migration.
    Refer to the sub-tasks below for detailed instructions for each wizard step.

Migration wizard steps

The migration wizard consists of the following sequential steps:
Step Name Description
1 Initialize AppViewX Native CA Set up the CA account.
2 Source Selection Select the GCP CA to migrate from.
3 Migration Setup Choose the migration method.
4 CA Creation Configure the AppViewX CA settings.
5 Complete Migration Review and confirm the migration status.
6 Migration Summary Review the final migration status.

Initialize AppViewX Native CA

Before you migrate to AppViewX Native CA (PQC-Ready), the system checks whether the AppViewX PKI Certificate Authority (CA) is already initialized. If it is not initialized, the Initialize AppViewX Native CA page is the first step in the migration wizard.

AppViewX Native CA is a PQC-ready private PKI service that issues digital certificates using both traditional and post-quantum cryptographic algorithms. Initializing the CA sets up the account that the migration wizard uses throughout the process.

Important: Initialization is atomic. If the process fails, no partial state is saved and you can retry without cleanup.
Important: If the PKI CA is already initialized, the initialization step is skipped automatically and the wizard proceeds to Source Selection.
  1. Navigate to Menu > PKI > CA Inventory.
  2. Click Start Migration.
    The system automatically checks whether the PKI CA is already initialized. If not initialized, the Initialize AppViewX Native CA page is displayed.
  3. In the CA Account Name field, enter a unique name for the CA account.
    The name accepts alphanumeric characters and hyphens. Duplicate names and empty values are not accepted.
  4. Click Activate.
    The system attempts to initialize the CA and verifies the connection. The Connection Status is displayed below the CA Account Name field.
  5. Review the Connection Status before proceeding.
    A successful status indicates the CA account is initialized and the wizard can proceed to the next step. If the status shows an error, verify network access to the PKI CA endpoint and retry.
After the CA is successfully initialized, the migration wizard continues to the Migration Overview step.

Migration Overview

The Migration Overview page is the starting point of the CA Migration wizard. It lists the supported source CA types that you can migrate to AppViewX. Currently, only Legacy CA is supported. The Migration Overview page is the starting point of the CA Migration wizard. If the AppViewX PKI Certificate Authority (CA) is already initialized.
  1. Select Legacy CA as the select source CA type.
  2. Click Start Migration.
    The Source Selection page is displayed.

Select source CA

The Source Selection step lets you select an existing Certificate Authority from your environment as the source for migration.
  1. On Select Source Certificate Authority page.
  2. Review the list of available CAs in the table.
    The table displays the following columns:
    • CA Name: Certificate Authority name
    • Type: Root CA or Subordinate CA
    • Algorithm: Cryptographic algorithm (for example, RSA or EC)
    • Key Size: Key size in bits
    • Status: Current state (for example, Active or Awaiting user activation)
  3. Optional: Use the Search field to filter CAs by name.
  4. Select the radio button next to the CA that you want to migrate.
    A Configuration Preview panel appears at the bottom of the page showing the selected CA's settings.
  5. Review the Configuration Preview to confirm your selection.
  6. Click Continue to proceed to Migration Setup, or click Back to return to the previous step.

Configure migration setup

The Migration Setup step lets you choose how to create the target AppViewX Native CA (PQC-Ready) that will replace your existing Standard CA. Select one of the following options:
  • Clone configuration from existing CA (Recommended): Copies configuration from the selected CA, including key size, cryptographic algorithm, and other settings.
  • Create New AppViewX CA from Scratch: Creates a new CA using guided defaults and best practices.
  • Use Existing CA (I already have a CA created): Maps an existing AppViewX Native CA to AppViewX for centralized management.
Important: You cannot start another CA migration while one is in Pending Approval status. Wait for the current migration to complete or be rejected before starting a new one.
Important: Only one CA can be migrated at a time.

Clone existing CA for migration

Use the Clone Existing CA option to migrate a Standard CA by copying its configuration into a new AppViewX Native CA (PQC-Ready). This is the recommended approach when you want to preserve the existing CA's configuration.
  • You must have authorization to initiate CA migration.
  • At least one Standard (GCP-backed) CA must exist in the CA Inventory.
  • No other CA migration should be in Pending Approval status.
  1. On the Migration Setup page, select Clone Existing CA.
    The CA selection list is displayed.
  2. Select the Standard CA you want to clone from the list and click Proceed.
    The Configure Your AppViewX CA page opens with all fields pre-populated from the selected CA.
  3. Review the pre-populated configuration and modify the editable fields as needed.
    Important: You cannot modify the Tier and Certificate Authority Type fields when using the Clone CA option.
  4. Enter the required CA configuration details.
  5. In the Approval and Custodians section, review the custodians who will receive the approval request.
    Important: The AppViewX CA is created after at least 51% of the listed custodians approve the request.
  6. Optional: To add custodians, click Add New Custodian, add the required users, and then click Refresh to update the list.
  7. Click Initiate Migration to submit the CA creation request.
    If custodian approval is required, the migration status changes to Pending Approval and the CA Inventory banner updates to show current progress. If custodian approval is not required, the migration status changes to CA Created Successfully! and the wizard advances to the Complete Migration step.

Create AppViewX Native CA from scratch

Use the Create CA from Scratch option when you want to define a completely new AppViewX Native CA (PQC-Ready) configuration without copying settings from the source CA.
Tip: When creating a new CA from scratch, you can configure PQC-ready cryptographic settings to future-proof your PKI infrastructure.
  • You must have the necessary permissions to initiate CA migration and create a new CA.
  • Ensure you have access to the list of custodians for approval.
  1. On the Migration Setup page, select Create CA from Scratch.
    The Configure Your AppViewX CA page opens with all fields empty.
  2. Enter the required CA configuration details.
  3. In the Approval and Custodians section, review the custodians who will receive the approval request.
    Important: The AppViewX CA is created after at least 51% of the listed custodians approve the request.
  4. Optional: To add custodians, click Add New Custodian, add the required users, and then click Refresh to update the list.
  5. Click Initiate Migration to submit the CA creation request.
    A CA Configuration Summary popup is displayed.
  6. In the Summary popup, verify all configured CA details and click Proceed to submit the request.
    If custodian approval is not required, the migration status changes to CA Created Successfully! and the wizard advances to the Complete Migration step.

Map an existing CA during migration

Use the Existing CA option if you already have an AppViewX Native CA created and want to map it to the source Standard CA. This option preserves the existing CA configuration and links it to the migration workflow.
Important: The list is filtered by CA type. If the source CA is a Root CA, only Root CAs are shown. If the source CA is a Subordinate CA, only Subordinate CAs are shown.
CAUTION: You cannot proceed without selecting a CA from the list. Ensure at least one compatible AppViewX Native CA exists before choosing this option.
  • You must have the appropriate RBAC permissions to view and select CAs.
  • At least one AppViewX Native CA of the required type (Root CA or Subordinate CA) must exist in the CA Inventory.
  1. On the Migration Setup page, select Use Existing CA.
    A filtered list of existing AppViewX Native CAs compatible with the source CA type is displayed.
  2. From the Target CA dropdown, select the CA you want to map to the source CA.
    The selected CA is highlighted and its metadata (Name, Type, Status) is displayed.
  3. Click Confirm to apply the mapping.
    The selected CA is mapped to the source CA and the wizard advances to the next migration step.
  4. Click Continue to proceed.

Complete migration and track approval

After you click Proceed in the Summary popup, the system submits the migration request and displays the current approval status on the Complete Migration page.

The Complete Migration page shows the following approval status details:

  • Custodians Notified: The number of custodians who received the approval request.
  • Approval Threshold: The minimum percentage of approvals required (default: 51% minimum).
  • Approvals Received: A real-time counter (for example, 0/2) showing how many custodians have approved.
  • Status message: Indicates that the system is waiting for custodian responses.
Important: Once the approval threshold is reached, the CA is created automatically without further action required.
Important: If no custodian approval is required by policy, the CA is created immediately and the Complete Migration page shows a success status.

When a migration is pending approval, a yellow banner at the top of the CA Inventory page displays the pending status. Click View Approval Status in the banner to open the approval tracking view.

Each CA entry in the inventory includes the following approval actions:

Action Description
Resubmit Resubmit the CA creation or deletion request if it was previously rejected.
View Open the CA details and configuration page.
Activate For subordinate CAs in Pending Signed Certificate status, upload the signed certificate to activate the CA.
  1. Click Proceed in the Summary popup to submit the migration request.
    The Complete Migration page is displayed with the current approval status.
  2. On the Complete Migration page, review the approval status.
  3. If approvals are pending, click Close and Check Status Later to exit the wizard.
    To check the status later, go to the CA Inventory page and view the migration status banner.
  4. After the migration is completed, the migration status is displayed as CA Created Successfully.
After the migration request is submitted and approved, the system returns you to the CA Inventory page. A banner confirms that the migration is complete. The migrated CA is available in the CA Inventory and the legacy Standard CA is marked for retirement.
Important: You can migrate only one CA at a time. Wait for the current migration to complete or be rejected before starting a new migration.

Post-Migration: Retiring Legacy Standard CAs

After you complete migrating, skipping, or mapping one or more GCP-backed Certificate Authorities (CAs), AppViewX PKI displays a retirement prompt on the CA Inventory page. This is the logical conclusion of the CA migration lifecycle. You can use this step to remove legacy Standard CAs that are no longer needed, permanently deleting them from the backend.
Retirement prompt on CA Inventory

When all migration actions are complete, the following banner appears at the top of the CA Inventory page:

You can now retire legacy Standard Certificate Authorities that are no longer needed, initiating their permanent deletion from the backend. Select a CA marked as "Standard CA" from the inventory and choose Actions > Delete to proceed. You may also choose Disable first to stop issuance and assess impact before completing the irreversible deletion.

Retire a legacy Standard CA

To retire a legacy Standard CA after migration:
  1. Go to Menu > PKI > CA Inventory.
  2. In the CA list, locate the CA with the type Standard CA.
  3. Optional: Click Actions > Disable to stop certificate issuance from the CA and assess the impact before deletion. This step is recommended before performing an irreversible deletion.
  4. Click Actions > Delete next to the Standard CA you want to retire.
  5. In the confirmation dialog, review the details and click Confirm to permanently delete the CA from the backend.
    The deletion is permanent and irreversible. Once a Standard CA is deleted, it cannot be recovered. Ensure that no active certificate workflows depend on the CA before proceeding.

Post-retirement state

After all legacy Standard CAs are retired, the CA Inventory displays only AppViewX Native CAs. The migration lifecycle is complete. No further migration actions are available or required.

Start a new migration from the side Menu

You can start a new CA migration at any time by selecting CA Migration from the navigation menu. This navigates to the Migration Overview page, where you can select a new migration journey (for example, AppViewX Standard CA or ADCS CA) and follow the migration wizard from the beginning.