Inhaltsverzeichnis
Migration
Priority 3 - For existing PKI infrastructures
Target audience: PKI Administrators, Security Architects
Strategies and runbooks for migrating from classic to post-quantum-capable PKI infrastructures.
Overview
flowchart LR
subgraph CLASSIC["CLASSIC"]
C1[RSA-2048]
C2[ECDSA P-256]
end
subgraph HYBRID["HYBRID"]
H1[RSA + ML-DSA]
H2[ECDSA + ML-DSA]
end
subgraph PQ["POST-QUANTUM"]
P1[ML-DSA-65]
P2[ML-DSA-87]
end
C1 --> H1 --> P1
C2 --> H2 --> P2
style CLASSIC fill:#ffebee
style HYBRID fill:#fff3e0
style PQ fill:#e8f5e9
Migration Paths
| Path | Description | Risk | Duration |
| —— | ————- | —— | ———- |
| Classic → Hybrid | Gradual migration with backward compatibility | Low | 6-12 months |
| Parallel Operation | Two PKIs simultaneously | Medium | 3-6 months |
| Big Bang | Complete switchover | High | 1-3 months |
Scenarios
| Scenario | Description | Risk |
|---|---|---|
| Classic -> Hybrid | Migrate RSA/ECDSA to hybrid mode | Medium |
| Parallel Operation | Operate classic + PQ simultaneously | Low |
| Rollback Strategy | Plan and test emergency fallback | - |
| Certificate Inventory | Inventory of all certificates | Low |
Migration Phases
gantt
title PKI Migration Timeline
dateFormat YYYY-MM
section Preparation
Inventory :a1, 2024-01, 1M
Risk Analysis :a2, after a1, 1M
Test Environment :a3, after a2, 2M
section Pilot
Pilot Group :b1, after a3, 2M
Evaluation :b2, after b1, 1M
section Rollout
Infrastructure :c1, after b2, 2M
Server Certs :c2, after c1, 3M
Client Certs :c3, after c2, 3M
section Completion
Monitoring :d1, after c3, 1M
Classic deactivate :d2, after d1, 1M
Decision Tree
flowchart TD
A[Start migration] --> B{New PKI or existing?}
B -->|New| C[Direct PQ/Hybrid]
B -->|Existing| D{Compatibility requirement?}
D -->|High| E[Parallel operation]
D -->|Medium| F[Hybrid migration]
D -->|Low| G[Big Bang]
E --> H[Operate both PKIs]
F --> I[Gradual upgrade]
G --> J[Complete replacement]
style C fill:#e8f5e9
style F fill:#fff3e0
style G fill:#ffebee
Prerequisites
| Component | Requirement |
| ———– | ————- |
| OpenSSL | 3.6+ (PQ support) |
| Clients | Hybrid-capable TLS stacks |
| HSM | PQ algorithms supported |
| Monitoring | Dual-mode alerting |
Related Documentation
- Business Migration Roadmap - Strategic planning
- Developer Migration - Code adjustments
- Crypto Modes - Hybrid vs. PQ
« <- Operator Scenarios | -> Classic -> Hybrid »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 01:32 AM
