Inhaltsverzeichnis

Migration

Priority 3 - For existing PKI infrastructures
Target audience: PKI Administrators, Security Architects

Strategies and runbooks for migrating from classic to post-quantum-capable PKI infrastructures.

Overview

flowchart LR subgraph CLASSIC["CLASSIC"] C1[RSA-2048] C2[ECDSA P-256] end subgraph HYBRID["HYBRID"] H1[RSA + ML-DSA] H2[ECDSA + ML-DSA] end subgraph PQ["POST-QUANTUM"] P1[ML-DSA-65] P2[ML-DSA-87] end C1 --> H1 --> P1 C2 --> H2 --> P2 style CLASSIC fill:#ffebee style HYBRID fill:#fff3e0 style PQ fill:#e8f5e9

Migration Paths

Path Description Risk Duration
——————-—————-
Classic → Hybrid Gradual migration with backward compatibility Low 6-12 months
Parallel Operation Two PKIs simultaneously Medium 3-6 months
Big Bang Complete switchover High 1-3 months

Scenarios

Scenario Description Risk
Classic -> Hybrid Migrate RSA/ECDSA to hybrid mode Medium
Parallel Operation Operate classic + PQ simultaneously Low
Rollback Strategy Plan and test emergency fallback -
Certificate Inventory Inventory of all certificates Low

Migration Phases

gantt title PKI Migration Timeline dateFormat YYYY-MM section Preparation Inventory :a1, 2024-01, 1M Risk Analysis :a2, after a1, 1M Test Environment :a3, after a2, 2M section Pilot Pilot Group :b1, after a3, 2M Evaluation :b2, after b1, 1M section Rollout Infrastructure :c1, after b2, 2M Server Certs :c2, after c1, 3M Client Certs :c3, after c2, 3M section Completion Monitoring :d1, after c3, 1M Classic deactivate :d2, after d1, 1M

Decision Tree

flowchart TD A[Start migration] --> B{New PKI or existing?} B -->|New| C[Direct PQ/Hybrid] B -->|Existing| D{Compatibility requirement?} D -->|High| E[Parallel operation] D -->|Medium| F[Hybrid migration] D -->|Low| G[Big Bang] E --> H[Operate both PKIs] F --> I[Gradual upgrade] G --> J[Complete replacement] style C fill:#e8f5e9 style F fill:#fff3e0 style G fill:#ffebee

Prerequisites

Component Requirement
———–————-
OpenSSL 3.6+ (PQ support)
Clients Hybrid-capable TLS stacks
HSM PQ algorithms supported
Monitoring Dual-mode alerting

« <- Operator Scenarios | -> Classic -> Hybrid »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , , ,