Live CA Migration

Consolidate your PKI without disruption

Jellyfish Live CA Migration enables organisations to bring existing Certificate Authorities (CA) under Jellyfish management while keeping current PKI services operational.

Instead of forcing a disruptive cutover, Jellyfish allows your existing CA and Jellyfish CA to operate in parallel. Jellyfish keeps certificate data and revocation status synchronised while your organisation gradually migrates applications, enrollment services, and integrations away from legacy PKI platforms.

Jellyfish gives you a practical path to PKI modernisation without the risk, downtime, and operational pressure normally associated with CA migration.

Modernise your CA without breaking your environment

Traditional CA migrations have centred around a green fields approach with an all new PKI. The only alternative if changing software has been a long and lengthy transition, with careful outage planning, manual data handling, and high-risk cutover events. Jellyfish changes the migration model and frees you from your legacy systems.

Your current CA continues to operate
Jellyfish CA is introduced as the modern CA technology
Jellyfish keeps both environments aligned
Your team migrates at a controlled pace

Jellyfish acts as the central management and synchronisation layer across the transition, giving admins and operators a unified operational view while preserving business continuity.

Another major benefit of this approach is that it ensures that not all automations need be moved at the same time. Where an organisation has many automation end points, these can be moved over days weeks or even months, rather than a single big bang approach in a single change, as has traditionally been required.

This solution even brings additional capacity and resilience that the old platform may not have. On the services that have been transitioned, Jellyfish CA provides true high availability with the ability to scale resourcing quickly.

A migration model built for enterprise reality

Enterprise PKI is not isolated. Certificate Authorities are connected to identity platforms, applications, network services, smartcards, and more.

Jellyfish Live CA Migration procedures are designed for this reality.

We allow organisations to consolidate and modernise PKI operations while avoiding the disruption of replacing every integration, all at once. Existing systems continue to trust and use the current CA while new services are progressively moved to Jellyfish.

Business Benefits

Lower migration risk

The existing CA is not switched off before Jellyfish CA is introduced. Jellyfish operates in concert with your existing infrastructure, becoming a HA participant within your environment. Existing issuing, validation, and integration services can continue to operate while Jellyfish synchronises and supports your environment.

Reduce operation disruption

Organisations avoid a single high-pressure cutover event. Migration can be performed in controlled phases aligned to business, application, and operational priorities. Reduce unplanned outages.

Centralised PKI visibility

Jellyfish is a single pane of glass for PKI operations, helping teams consolidate certificate visibility, CA management, lifecycle data, and operational reporting.

Better control over legacy environments

Legacy CA platforms can be brought under Jellyfish management while the organisation transitions towards modern and lean Jellyfish CA based PKI architecture.

Flexible modernisation path

Teams can migrate certificate templates, enrollment services, application integrations, and operation processes over time.

Operational Outcomes

With Jellyfish Live CA Migration, organisations can:

Maintain continuity of existing PKI services
Synchronise issued certificate records into Jellyfish
Synchronise revocation information into Jellyfish Cog VA validation services
Introduce Jellyfish CA as a future CA technology
Move enrollment and application integrations gradually
Reduce reliance on legacy CA administration tools
Improve governance and certificate lifecycle oversight
Retire legacy CA technology only when the organisation is ready

Simplified migration strategy

Configure CA Synchronisation

Connect Jellyfish to the existing CA and enable certificate synchronisation schedules. This synchronisation consists of a bulk load that is followed by continual updates. The process also includes gathering revocation information. Having this information allows you to get a huge benefit from Jellyfish straight away as you can now use the CLM portion of the capability before you transition anything at all.

Map Templates and Policies

Create matching Jellyfish templates and Jellyfish CA profiles, keeping a familiar continuity of certificate issuing processes.

Provision CA Signing Capability

Provide Jellyfish CA with access to the existing CA key material using the appropriate HSM, PKCS#11, or secure key migration method.

Transition Validation Services

Update CA certificate, CRL and OCSP paths so validation services point to the Jellyfish CogVA managed infrastructure. Jellyfish CRL includes revocations for Jellyfish CA and your existing CA software issued certificates.

Migrate Integrations Progressively

Now migrate existing services across as required.

Supported Live CA Migration Technologies

Jellyfish Live CA Migration supports all major enterprise CA platforms commonly found in mature PKI environments.

Certificate Authority Migration Candidates

Microsoft Active Directory Certificate Services (AD CS)
Verizon UniCERT Certificate Authority
EJBCA Community Edition
EJBCA Enterprise Edition
Entrust Authority Security Manager (EASM)
OpenSSL

Enrollment and Integration Technologies

Microsoft Windows Auto-enrollment
Microsoft XCEP / WSTEP profile-based enrollment
ACME and SCEP
CMPv2 and CMPv3
RESTful API integrations
PKCS and CMC based key and certificate handling
CRL and OCSP validation services

How Jellyfish Live CA Migration works

Jellyfish Live CA migration combines synchronisation services, CA configuration, key access, Jellyfish CA capability, and Jellyfish Cog VA validation authority transition into a simple and controlled migration architecture.

Synchronisation Layer

The sync layer connects the existing CA platform to Jellyfish and Jellyfish CA.

For supported CA platforms, Jellyfish imports issued certificate data and revocation state into Jellyfish so the target environment maintains an accurate wholistic view of the existing CA. The sync is designed to run consistently on a frequent schedule to ensure issuance and revocation actions are reflected immediately by the VA responders.

Template and Policy Alignment

Where the source CA uses policies, profiles, or templates, equivalent Jellyfish Templates and Jellyfish CA Profiles are created and mapped.

This provides a structured relationship and continuity between the source CA and the Jellyfish CLMS.

CA Key and Cryptographic Access

Jellyfish CA must be able to operate with the appropriate CA signing capability before it can fully assume issuing operations for the migrated CA identity. This however is not required to perform as a CLM tool. Key access may include: a connection to an HSM-backed CA key, PKSC#11 integration with an HSM like appliance, Protection set migration, Key retargeting, Secure softkey migration.

Validation Authority Transition

During a live migration, relying parties must continue to validate certificates correctly and accurately.

Jellyfish supports the transition of CRL and OCSP services to Cog VA. Cog VA will then accurately reflect the revocation state of the combination of certificates revoked by the existing PKI and the modern Jellyfish PKI. Re-targeting CRL and AIA DNS to Cog VA is essential to retain a consolidated state of the PKI.

Parallel Operation Model

A key benefit of Jellyfish Live CA Migration is parallel operation.

The source CA and Jellyfish CA can update operations while the existing PKI can operate independently with Jellyfish synchronisation services to maintain certificate and PKI state between environments.

Figure 1 - Live Migration