DigiCert PKI Platform 8 PKI Client Migration Guide
This guide provides all the steps needed to migrate from DigiCert PKI Platform 8 (using PKI Client and Enterprise Gateway) to DigiCert® ONE. It includes configuring identity providers, transitioning client applications, migrating certificates, and completing post-migration cleanup. To migrate from PKI Client with Enterprise Gateway integration on DigiCert PKI Platform 8 to DigiCert ONE, you need to be aware of the following key platform differences:
DigiCert PKI Platform 8 | DigiCert ONE | |
|---|---|---|
Client application | DigiCert PKI Client | DigiCert Trust Assistant |
Server application | Enterprise Gateway | Identity provider application that supports SAML or OpenID Connect (OIDC) |
Authentication mechanism | Kerberos - fully automatic | SAML or OIDC using Single Sign-On (SSO) against the Identity Provider for initial login. After login, all required authentications are automated using the client authentication certificate stored in the application |
DigiCert PKI Enterprise Gateway supports only on-premises Active Directory as the identity provider, whereas DigiCert ONE supports any identity provider compatible with SAML or OIDC. The following table compares the supported identity providers on each platform:
DigiCert PKI Platform 8 with Enterprise Gateway | DigiCert ONE |
|---|---|
On-premises Active Directory | Any identity provider that supports SAML or OIDC including:
|
Choose any Identity Provider which supports SAML or OIDC, and if you are already using Single Sign-On (SSO) with a third-party identity provider, you can use that provider. If not, you must setup Active Directory Federation Services (AD FS) on Windows Server to act as the identity provider. For details about the AD FS certificates you need to manage, refer to Certificate lifecycle management for on-premises Active Directory (AD FS).
DigiCert ONE DigiCert® Trust Lifecycle Manager includes a connector that enables certificate migration from DigiCert PKI Platform 8. This connector supports the migration of both key-escrowed (with private key) and non-key-escrowed certificates. For more detail, refer to DigiCert PKI Platform 8 connector guide.
Before starting the migration, contact your DigiCert representative to determine whether migrating all existing certificates is necessary.
Check Authorized User List
Before creating certificate profiles in DigiCert ONE Trust Lifecycle Manager, verify the Authorized user list configured for the profile. This list determines which Active Directory user group is allowed to issue certificates and is typically formatted as
<NETBIOS_name/group_name>.You will need this information when configuring the certificate profile in DigiCert ONE.注記
You can view the authorized user list details in DigiCert PKI Platform 8 PKI Manager by selecting the Manage authorized user lists under the Users and certificates section.
Create DigiCert ONE Login Certificate profile
To create a certificate profile and complete initial testing, perform the following steps:
Understand the DigiCert ONE Login: Before creating the profile, get yourself familiar with the login process and how DigiCert ONE integrates with external Identity Providers. For more details, refer to About DigiCert ONE login profile.
Configure integration with your Identity Provider and DigiCert ONE: Refer to Prerequisites for DigiCert ONE Login for prerequisite details. Based on your Identity Provider, refer to the following integration details.
Create a certificate profile: Refer to About DigiCert ONE login profile for details. During the profile creation, use the following options to match the functionality that was previously available through Enterprise Gateway
Auto-enroll/renew certificates: Enable this option if you are using automatic certificate issuance with Enterprise Gateway.
Restrict user access based on IdP metadata: Configure group-based access using the authorized user list from DigiCert PKI Platform 8.
The format will differ from <NETBIOS_name/group_name>. It depends on how your IdP sends group information via SAML or OIDC. For example, with AD FS, the Key is
http://schemas.xmlsoap.org/claims/Groupand the Value is your full AD distinguished name, for example, CN=DigiCert Test Users,CN=Users,DC=test,DC=digicert,DC=comTesting Configuration: After setup, refer to the testing details to validate user creation and certificate issuance.
On DigiCert PKI Platform 8, suspend all certificate profiles currently used to issue certificates to users on DigiCert PKI Platform 8 to stop further issuance. This step is crucial to perform before users begin issuing certificates from the new platform, preventing any overlap.
This step is required only if Group Policy Object (GPO) settings are configured for the PKI Client on your enterprise Domain Controller. Perform the following actions:
Suspend any GPO settings that you may have configured for the PKI Client.
Contact your Domain Controller administrator or refer to the DigiCert PKI Client Administrator’s Guide (available under Resources in the PKI Manager portal; see Chapters 3.6.5, 3.8, and 4) to confirm whether GPO settings are disabled.
After successfully disabling the GPO settings, launch Command Prompt as an administrator and run the following command to apply the changes in the GPO settings to all end-user machines:
$ gpupdate /force
This is an optional step, which you can skip based on your requirements. Manually export certificates from the PKI Client and import them into DigiCert Trust Assistant if all the following conditions apply:
Certificates are not key escrowed in DigiCert PKI Platform 8.
Certificates are stored in a software key store.
Users need to continue using these certificates.
Since new certificates will be issued from DigiCert ONE, old certificates are usually not needed unless you must decrypt data encrypted with them. Contact your DigiCert account representative if you need further clarification.
Refer to How to export certificates stored in the DigiCert PKI client for details on exporting certificates.
Uninstall DigiCert PKI Client from users’ machines using one of the following methods:
Operating system’s application uninstallation
For bulk uninstallation, use GPO or a device management solution. Refer to your vendor’s documentation for details.
注記
Make sure you reboot the machine after uninstallation.
To deliver DigiCert Trust Assistant to users using Group Policy, refer to the Deliver DigiCert Trust Assistant using Group Policies for more details.
注記
This step is optional because during the initial sign-in, users can download and install DigiCert Trust Assistant directly through their browser if it’s not already installed. Since DigiCert Trust Assistant supports per-user installation, administrator privileges are not required.
Depending on the outcome of Step 5: Export Certificates from PKI Client, you may skip this step. For importing certificates into DigiCert Trust Assistant, refer to Import a certificate.
Refer to Deliver DigiCert ONE login URL to the users for more information on providing sign-in access to users.
注記
DigiCert recommends to use extra-conf.json delivered via GPO.
Refer to Configure via GPO or Device Management solution for more details on configuring extra-conf.json. Details about the sign-in configuration of extra-conf.json are available in Sign in configuration section.
After users sign in to DigiCert Trust Assistant using your Identity Provider’s authentication, DigiCert Trust Assistant will check all the profiles assigned to the user and perform following action:
If the certificate profile has Auto-enroll/renew certificates enabled, DigiCert Trust Assistant will automatically issue the certificate and notify the user of the outcome.
If the certificate profile has Auto-enroll/renew certificates disabled, DigiCert Trust Assistant will notify the user that a certificate is available for issuance, which the user can manually enroll through the application's Enrollment page.
If the certificate is successfully issued and the profile has a post-processing script configured, the script will be run. Refer to Post-processing scripts for more details.
After uninstallation, you can also remove the PKI Enterprise Gateway Group from your domain. This is a special security group created during the Enterprise Gateway installation and is assigned to the service that launches Enterprise Gateway to write certificate information to users.
If you created a dedicated user or service account to run Enterprise Gateway, you may delete that account as it is no longer needed.
Additionally, logs will remain under the default installation directory: C:\Program Files\DigiCert\PKIEnterpriseGateway
You may choose to remove this directory if it is no longer required.
After migration process has completed, perform the following cleanup tasks to remove any remaining DigiCert PKI Client components: