Knowledge Base

Description

1.  Login to PKI Manager
2. Click on Manager certificate profiles
3. Click on a profile that is bound to an existing Symantec Shared CA
4. You will now see a new link named “Migrate profile”
   (ONLY if the new Shared ICA has been added by PKI Ops following the Re-key process)
   
5. Click on Migrate profile
6. On the Migrate profile page, you will be given the option to change the Friendly name of the profile, the Signature algorithm, Key size, and Validity period of the new profile:
   
   
   Note: the name of the new DigiCert Shared ICA that will be bound to this new profile is also displayed
7. Click Save
8. If successful, the following message will be displayed:
   
   
   
   
   Can’t add and fields to the Subject DN:
   
   
   Can’t modify Seat ID:
   
   
   Can’t modify email notifications:
   
   
   …but can enable/disable sending of email notifications (see “Send email notifications” radio button, to the chosen Recipient:
   
   
   Can’t modify languages and enrolment field names:
   
   
9. Test the new certificate profile. Note the following rules:
   • You cannot enroll or renew against the old migrated profile.
   • You cannot modify any of the fields in the new profile, with the exception of specifying the recipient of email notifications (either “Certificate user” or “Other recipient”).
   • You cannot delete the new profile since there is a profile migrating to it.
10. If you are migrating a profile configured for PKI Client Autoenrollment use-case (using AD as the Authentication method), you must disable email notifications to end users, in case you choose to eventually Delete the profile and automatically revoke all issued certs from it.
11. Once successful, you must complete the migration by clicking on the “Complete migrate profile” link:
    

CONCLUSION: The Profile Migration process facilitates the migration from 1 certificate profile to another, making use of a new CA, minimising the configuration time required, especially if customer has LOTS of customised profiles. However, if any modifications are expected to be done on the new profile, this process should NOT be used - a new certificate profile should be created instead, and all configuration options manually set and tested.