Migrating the CA for Code Signing Certificates

Use the CA Switch feature in CLM to re-enroll one or more code signing certificates from one Certificate Authority (CA) to another. After initiating a CA switch, AppViewX assesses the migration readiness of each selected certificate and displays the results in the Process Explorer. You must validate these results before completing the switch.
Use this guide to migrate CAs for the following certificate types:
  • Server certificates
  • Client certificates
  • Code Signing certificates
Note: The bulk CA switch is currently supported only when switching from any CA to Microsoft CA (Enterprise or Standalone), or from Microsoft CA (Enterprise or Standalone) to Microsoft CA (Enterprise or Standalone).

This procedure applies to all supported target CAs. If you select AppViewX PKIaaS Native as the target CA, additional fields Issuer Name and Template Name appear in the CA Switch dialog box.

Phase 1: Initiate the CA Switch
  1. Navigate to Menu > CLM > Certificate Action > CA Switch > Code Signing.
    The Code Signing Certificate page is displayed.
  2. Under Common Name, select the checkbox corresponding to the required certificate to run the revocation check.
    Tip: You can run the revocation check for more than one certificate at the same time. To do this, select the checkboxes corresponding to all the required certificates.
  3. From the Actions menu, select Revocation Check.
    Results update the status of the certificate in the inventory page.
  4. Under Common Name, select the checkbox next to the certificate you want to migrate.
    Tip: To migrate multiple certificates at once, select the checkboxes for all required certificates before proceeding.
  5. From the Actions menu, select CA Switch.
    The CA Switch dialog box is displayed.
  6. Enter the CA switch details using the following field descriptions:
    Field Description
    *Target CA Select the destination CA from the dropdown list.
    Note: If you select AppViewX PKIaaS Native as the Target CA, two additional fields appear: Issuer Name and Template Name.
    *Settings Select the CA profile settings to apply during the switch.
    *Issuer Name Select the issuer (sub-CA) to use for signing the certificate during the switch.
    Note: Displayed only when AppViewX PKIaaS Native is selected as the Target CA.
    *Template Name Select the certificate template to apply during the CA switch.
    Note: Displayed only when AppViewX PKIaaS Native is selected as the Target CA.
    *Name Enter a unique identifier for this CA switch operation. Allowed special characters: space, period (.), hyphen (-), underscore (_). The name cannot begin with a special character.
  7. Click Save.
    The CA Switch Summary page is displayed. Use the following controls on this page:
    Control Description
    Delete icon Removes a certificate from the migration list.
    Refresh icon Reloads the CA Switch Summary page with the latest data.
    Records display Shows the number of certificates listed on the current page.
    Navigation arrows Moves to the next or previous page when multiple pages exist.
    Search Filters the list by keyword.
    Color Coding Status Indicates each certificate's migration readiness status.
Phase 2: Review and Submit
  1. Select the checkbox for the certificate you want to migrate.
  2. In the CSR Details column, click Update CSR to review and update the CSR details.
  3. In the Validation Log column, click View to see the events recorded during the CA switch.
  4. Click Submit.
    Note: If the Certificate Requests Need Approval? toggle is enabled, it enforces a peer approval process for certificate requests (new, renew, regenerate, reissue, or revocation). The approval workflow defines who must approve each request.
Phase 3: Approve the Work Order
  1. In the Work Order column, click Approve.
    The Approve dialog box is displayed.
  2. (Optional) To schedule automatic approval, click Schedule Later, then select an implementation date and time from the calendar.
  3. Enter any relevant comments in the Comments field.
  4. Click Yes.
  5. (Optional) In the Work Order column, click the status to view the Summary and Details of the approval progress.
Phase 4: Implement the Work Order
  1. In the Work Order column, click Implement.
    The Implement dialog box is displayed.
  2. (Optional) To schedule automatic implementation, click Schedule Later, then select an implementation date and time.
  3. Enter any relevant comments in the Comments field.
  4. Click Yes.
  5. Click the refresh icon at the top-right of the page to update the work order status.
    When the CA Switch is complete, the Work Order status changes to Completed.

Bulk Migrating the CA for Code Signing Certificates

Use the bulk CA Switch feature to migrate multiple code signing certificates to target CAs.
Important: The bulk CA switch is currently supported only when switching from any CA to Microsoft CA (Enterprise or Standalone), or from Microsoft CA (Enterprise or Standalone) to Microsoft CA (Enterprise or Standalone).

This procedure applies to all supported target CAs. If you select AppViewX PKIaaS Native as the target CA, additional fields Issuer Name and Template Name appear in the CA Switch dialog box.

Phase 1: Select Certificates and Initiate Bulk CA Switch
  1. Navigate to Menu > CLM > Certificate Action > CA Switch > Code Signing.
    The Code Signing Certificate page is displayed.
  2. Under Common Name, select the checkbox corresponding to the required certificate to run the revocation check.
    Tip: You can run the revocation check for more than one certificate at the same time. To do this, select the checkboxes corresponding to all the required certificates.
  3. From the Actions menu, select Revocation Check.
    Results update the status of the certificate in the inventory page.
  4. Select the checkboxes for all certificates to be migrated.
  5. From the Actions menu, select CA Switch.
    The CA Switch dialog box is displayed.
  6. Enter the CA switch details using the following field descriptions:
    Field Description
    *Target CA Select the destination CA from the dropdown list.
    Note: If you select AppViewX PKIaaS Native as the Target CA, two additional fields appear: Issuer Name and Template Name.
    *Settings Select the CA profile settings to apply during the switch.
    *Issuer Name Select the issuer (sub-CA) to use for signing the certificate during the switch.
    Note: Displayed only when AppViewX PKIaaS Native is selected as the Target CA.
    *Template Name Select the certificate template to apply during the CA switch.
    Note: Displayed only when AppViewX PKIaaS Native is selected as the Target CA.
    *Name Enter a unique identifier for this CA switch operation. Allowed special characters: space, period (.), hyphen (-), underscore (_). The name cannot begin with a special character.
  7. Click Save.
    The CA Switch Summary page opens, listing all pending CA switch requests.
Phase 2: Bulk Update CSR and Submit
  1. Select the checkboxes for all the CA switch requests you want to process.
    The Bulk Update CSR and Actions buttons are enabled.
  2. Click Bulk Update CSR.
    The Update Connector Details dialog box is displayed.
  3. Update the connector details as required, then click Update.
    You are redirected to the CA Switch Summary page. The Certificate Status updates to Ready to Migrate.
  4. Select the required CA switch requests, then click Submit.
    A confirmation message appears. Work order details update to show the work order number, and the Approve and Reject buttons.
Phase 3: Approve and Implement
  1. Select the required CA switch requests.
  2. From the Actions menu, select Proceed Further to approve, then click Yes in the Confirmation dialog box.
  3. From the Actions menu, select Proceed Further again to implement, then click Yes in the Confirmation dialog box.
    Once complete, the Work Order status updates to Completed.