Keyfactor Tech Days 2027, The Trust Security Conference, is heading to San Diego!   Discover what’s coming up

Definition

If your organization still relies on a legacy public key infrastructure (PKI) deployment, you’re not alone. Many enterprises are running certificate authority (CA) software that was originally designed for a different era. PKI migration is the process of moving from that legacy setup to a modern PKI solution. For a growing number of organizations, this is becoming a strategic priority.

PKI migration can take many forms. It might involve replacing outdated CA software, transitioning from on-premises infrastructure to cloud or hybrid deployment models, or consolidating fragmented PKI environments into a single, centralized platform. What it is not, however, is a simple flip of a switch. PKI migration is a strategic initiative that touches certificate authorities, certificate lifecycle management, key management, and the policies and processes that surround them.

Why organizations are migrating their PKI

Several forces are pushing organizations to rethink their PKI. Understanding these drivers is essential for building a case for modernization.

Legacy PKI was not built for the modern world

Microsoft CA, also known as Active Directory Certificate Services (ADCS), was an easy choice for traditional IT environments. But the path to the cloud and the remote workforce has introduced challenges that legacy PKI simply cannot address. These environments were not designed for the high volume and velocity of certificate issuance that modern organizations require. They typically lack integrations with modern tooling, and due to error and oversight, they can be easily misconfigured at any point during their long lifespan. Cloud-based services are driving their PKI deployment for almost 50% of organizations.

Certificate sprawl and shadow PKI

As organizations grow, different teams often spin up their own CAs for specific use cases without considering corporate IT policies. CAs get misconfigured. Certificates go untracked. The result is unexpected audit findings, security blind spots, and outages. Large organizations end up managing, on average, nine different PKI infrastructures. When the environment is that fragmented, maintaining full control becomes extremely difficult.

Lack of PKI expertise

PKI is not a core skillset for most IT and security teams, not to mention for teams in general. Expertise is difficult to find and even harder to retain. Only half of companies have enough staff dedicated to their PKI. For many organizations, PKI becomes a “hot potato” that gets passed between admins, with no clear ownership and no dedicated resources to manage it over its lifespan, which can last over 25 years.

Growing certificate volumes and shorter lifespans

The volume of certificates is growing exponentially. More teams and more use cases (IoT devices, microservices, containers, remote workers) all need certificates. At the same time, certificate lifespans are getting shorter, which means the frequency of management tasks is also increasing. Manual processes like spreadsheets, calendar reminders, and homegrown scripts simply cannot keep up. Post-its are also insufficient.

Signs your organization needs a PKI migration

Not sure if it’s time to make the move? Here are the most common indicators:

  • Certificate outages are happening more often. 
    Expired or misconfigured certificates are causing service disruptions, and your team is spending more time firefighting than preventing problems.
  • New use cases require workarounds. 
    Supporting cloud workloads, IoT, DevOps pipelines or providing a safe setup for remote workers means bolting on separate tools or building custom integrations because your current PKI cannot handle them natively.
  • Multiple teams are running their own CAs. 
    There is no centralized visibility into who issued what, where certificates live, or when they expire.
  • Compliance audits are surfacing surprises. 
    Auditors are finding certificates and CAs your team didn’t know existed.
  • Cloud migration is blocked by on-premises PKI dependencies. 
    Your move to the cloud is slowed because your PKI is tightly coupled to on-premises Active Directory infrastructure.
  • Maintenance costs are rising without added value. 
    You’re spending more on legacy PKI hardware, software, and staffing, but getting the same (or fewer) capabilities in return.

If two or more of these resonate, it’s worth evaluating a migration path.

Key considerations before migrating your PKI

Before jumping into a migration, it pays to think through several strategic and technical factors.

Use cases and requirements: Start by identifying the certificate types, templates, protocols (SCEP, ACME, EST, CMP), and automation capabilities your organization needs. Consider current requirements across IT, DevOps, IoT, and manufacturing, but also plan for what’s coming next.

Scalability and availability: Evaluate expected service level agreements for uptime and availability. High availability, backup and disaster recovery, and the ability to manage environments with thousands or even millions of certificates are all critical factors, especially as you scale into new use cases.

Security, compliance, and assurance levels: PKI is more than CA software and certificates. You also need to consider the safeguards and policies around your PKI infrastructure, including HSM integration, root key protection, and compliance with industry standards. Certain regulations or internal security policies may dictate specific parameters for your deployment.

Expertise and staffing: Consider whether your team has the knowledge and bandwidth to manage a new PKI over its full lifespan. If not, a hosted or managed PKI service may be a better fit. This decision alone can significantly reduce operational burden and risk.

PKI migration paths: choosing the right deployment model

One of the most important decisions in any PKI migration is where and how to deploy. The right model depends on your organization’s resources, regulatory requirements, and technical needs.

PKI as a Service (PKIaaS): A fully managed PKI with an offline, air-gapped root CA. The vendor handles all PKI operations, including 24/7 monitoring and SLA-backed uptime. This model is ideal for organizations that want to offload PKI entirely to a trusted partner.

SaaS PKI: A turnkey SaaS PKI deployed and managed by the vendor in cloud environments like AWS and Azure. Best for teams that want cloud-native PKI without the overhead of managing infrastructure, while still maintaining some configuration access.

Cloud PKI (self-managed): PKI deployed in your own cloud environment (AWS or Azure). This model gives you cloud scalability with full control over configuration, making it a strong fit for organizations with capable internal teams.

On-premises PKI (software or hardware appliance): PKI deployed as a virtual appliance in a private data center or as a turnkey hardware appliance with a built-in HSM. Best for organizations with strict regulatory requirements or available on-premises resources that need to keep PKI behind their own firewall.

Hybrid PKI: Running a modern PKI solution alongside existing Microsoft CA or other legacy systems, migrating use cases over time with minimal disruption. This approach lets you support both modern and legacy use cases simultaneously, which is often the most practical path forward.

Migrating from Microsoft CA (ADCS): what you need to know

For many organizations, the most immediate migration question is: “What do we do about Microsoft CA?” The answer is that you do not have to choose between a full rip-and-replace and staying on legacy ADCS. A phased approach is both possible and practical.

Modern PKI solutions can run in tandem with Microsoft CA, allowing you to continue using Microsoft-native tools like Auto-enrollment, Intune, and Azure Key Vault while routing new use cases to the modern platform. This is especially relevant for organizations transitioning from Active Directory to Azure Active Directory, where MDM solutions like Intune can provision certificates from a modern PKI (such as EJBCA) instead of on-premises ADCS.

The key is gradual migration. Move use cases one at a time, validate each transition, and reduce your dependency on legacy infrastructure at a pace that minimizes risk. You do not need to migrate everything on day one.

The role of certificate lifecycle automation in PKI migration

Issuing certificates from a modern CA is only half the equation. Those certificates also need to be discovered, tracked, renewed, and revoked across their entire lifecycle. This is where certificate lifecycle management (CLM) becomes essential.

Many teams still rely on spreadsheets, calendar reminders, and homegrown scripts to manage certificates. With shorter lifecycles and growing volumes, those manual approaches create gaps that lead to outages and security risks. Automated CLM eliminates these risks by providing visibility across all CAs in your environment, whether they are public, private, or cloud-based.

Combining PKI with certificate lifecycle automation creates a single platform that handles both issuance and management. This also enables CA agility: the ability to add, switch, or consolidate CA vendors as your needs change and as cryptographic standards evolve. Getting visibility over your entire certificate landscape is critical to preventing outages and maintaining crypto-agility over time.

How Keyfactor can help

Keyfactor’s platform supports PKI migration and modernization across the full spectrum of deployment models and use cases.

  • EJBCA Enterprise is a flexible, scalable PKI platform that can be deployed as SaaS, in your own cloud environment, as a software appliance, or as a hardware appliance. It supports any use case with built-in protocol support for SCEP, ACME, EST, CMP, and a robust REST API.
  • Keyfactor Command provides certificate lifecycle management with discovery, visibility, automation, and reporting across every CA in your environment.
  • PKI as a Service is a fully managed offering where Keyfactor handles all PKI operations, including offline root CA management, 24/7 monitoring, and SLA-backed uptime.

Keyfactor brings more than 20 years of PKI engineering, architecture, and design expertise. A Forrester Total Economic Impact study found a 95% reduction in PKI infrastructure costs for Keyfactor customers. Keyfactor has also been named #1 in Enterprise PKI by ABI Research and maintains compliance with ISO 27001, ISO 9001, Common Criteria, and SOC 2 Type II.

Summary

PKI migration is the process of moving from legacy PKI infrastructure to a modern solution that can support the demands of today’s world. The drivers are clear: legacy PKI was not built for cloud, IoT, or DevOps; certificate sprawl is creating blind spots; expertise is scarce; and manual management cannot keep up with growing volumes and shorter lifespans.

The good news is that organizations do not need to migrate all at once. A range of deployment models (from fully managed PKIaaS to self-managed cloud and on-premises deployments) and the ability to run modern PKI alongside legacy Microsoft CA make phased migration practical. Pairing modern PKI with certificate lifecycle automation ensures that certificates are not just issued, but managed, renewed, and revoked automatically, reducing outage risk and maintaining crypto-agility.

Got PKI migration questions? We’ve got answers.

What is PKI migration?

PKI migration is the process of moving from a legacy public key infrastructure to a modern PKI solution. This typically involves replacing outdated CA software, transitioning to cloud or hybrid deployment models, and consolidating fragmented certificate environments into a centralized platform.

When should my organization consider a PKI migration?

Consider migrating when your legacy PKI can no longer support new use cases like cloud workloads, IoT, or DevOps. Other signs include frequent certificate outages, rising maintenance costs, and compliance audit findings related to untracked certificates or unsanctioned CAs.

Can I migrate from Microsoft CA (ADCS) without disrupting existing services?

Yes. Modern PKI solutions can run alongside Microsoft CA, allowing you to migrate use cases gradually. You can continue using Microsoft-native tools like Auto-enrollment and Intune during the transition while routing new use cases to the modern platform.

What is the difference between PKI as a Service and SaaS PKI?

PKI as a Service (PKIaaS) is a fully managed offering where the vendor handles all PKI operations, including root CA management and monitoring. SaaS PKI is a turnkey cloud deployment managed by the vendor but typically offers more configuration access. Both eliminate the need to maintain PKI infrastructure in house.

How does cloud PKI migration work?

Cloud PKI migration involves moving your certificate authority infrastructure from on-premises servers to a cloud-based or SaaS-delivered platform. Organizations can deploy PKI in their own cloud environment (self-managed) or use a vendor-hosted solution, depending on their control and compliance requirements.

Do I need certificate lifecycle automation if I migrate my PKI?

Certificate lifecycle automation is strongly recommended alongside any PKI migration. Issuing certificates from a modern CA is only part of the equation. You also need automated discovery, tracking, renewal, and revocation to prevent outages and maintain visibility across your entire certificate landscape.

What deployment model is best for PKI migration?

The right model depends on your organization’s resources, regulatory requirements, and technical needs. Options range from fully managed PKI as a Service (ideal for teams without in-house expertise) to self-managed cloud or on-premises deployments (ideal for organizations with strict compliance requirements).

How long does a PKI migration typically take?

Timelines vary depending on the complexity of your existing environment and the scope of the migration. A phased approach, where legacy and modern PKI run in tandem, allows organizations to migrate at their own pace while minimizing risk and disruption.