Existing CA Transition Plan

Sample Digi-CA™ Transition Plan

The most substantial difference between Digi-CA™ [1] and other Traditional CA [2]s is the flexibility and capabilities that are central to the design of the PKI system. This capability of transferring from a different service provider is a powerful capability that is simply not available from alternative vendor.

Digi-CA™ allows for easy migration from one data centre, or system, in an almost seamless manner. The transfer can be accomplished either physically through hardware transportation or by secure software and data migration whereby all software and database data is securely migrated in an encrypted format from one location to another.

The following sub sections provide details of the suggested project implementation stages for the transition plan. The plan is subject to decision on the re-use of existing HSMs, or the export/import of existing CA private keys and other project implementation considerations that will emerge during the Preliminary Analysis & Requirement Measurement stage of the project (stage I):

• 1. Preliminary Analysis & Requirement Measurement
• 2. Trust Centre Setup
• 3. Configuring Multi-Site LDAP Directory Services & LDAP Replication
• 4. CA Hierarchy & PKI Logical Infrastructure Setup
• 5. PKI Data Transfer & Existing Information Migration
• 6. System Integration & Integration Testing
• 7. Disaster Recovery Setup
• 8. Functional, Operational & User Acceptability Testing [UAT]
• 9. Training
• 10. Production Launch

• Preliminary Analysis & Requirement Measurement
  
  • 1. In depth Digi-CAST™ [3] analysis of existing software and hardware architecture - understanding the concepts, the functional and the business requirements
  • 2. In depth Digi-CAST™ analysis of existing application functional layers and associated data flow models and diagrams – understanding the concepts, functional and business requirements
  • 3. In depth Digi-CAST™ analysis of existing application communication layers and associated data flow models and diagrams – understanding the concepts, functional and business requirements
  • 4. Digi-CAST™ - understanding architectural and functional model for the use of the current PKI system along with current certificate enrolment and installation processes
  • 5. Digi-CAST™ - establishing the requirements for Key Ceremony
  • 6. Digi-CAST™ - establishing whether existing software, hardware and PKI architecture in combination with existing application functional and communication layers has any weaknesses and whether requires updates, modifications or improvements in respect to current commercial IT and PKI standards in common use
  • 7. Digi-CAST™ - reviewing and re-defining existing Certification Practice Statement [CPS] (if required) and associated Certificate Policy [CP]
  • 8. Digi-CAST™ - defining the methodology and procedural mechanism for PKI data transfer from the existing PKI system to the new Digi-CA™ PKI System
  • 9. Digi-CAST™ - establishing whether Digi-CA™ PKI System requires any related customisations to support specific functional and business requirements through the use of application APIs and custom policy controls
  • 10. Providing with detailed information on performed analysis, measurements and discoveries in a form of a Digi-CAST™ report

• Trust Centre Setup
  • 1. Setup of a dedicated Digi-CA™ PKI system hardware and software infrastructure in a secure hosting data centre
  • 2. General testing of new hardware, software and network setup
  • 3. High availability testing of new hardware, software and network setup
  • 4. Backup and recovery tests of new software and network setup
  • 5. Performance testing of new hardware, software and network setup
  • 6. Finalising the setup and providing with detailed information on performed activities and test results in a form of Digi-CAST™ report

• Configuring Multi-Site LDAP Directory Services & LDAP Replication
  • 1. Establishing a dedicated secure network channel between Trust Centre and local computer centres at two locations
  • 2. Testing the performance and security of the network communication channel between the Trust Centre [4] and each office location
  • 3. Installing and configuring LDAP directory service hardware and software for high availability in the local computer centres
  • 4. Setting up directory replication service [shadow: single-master/multiple-slave replication scheme] between the master LDAP directory service located in the Trust Centre and each slave local LDAP directory service located in each of the computer centres
  • 5. Testing the directory live replication service and high availability mechanisms
  • 6. Performance testing for directory replication service and high availability setup
  • 7. Finalizing the setup and providing with detailed information on performed activities and test results in a form of Digi-CAST™ report

• CA Hierarchy & PKI Logical Infrastructure Setup
  • 1. Performing a dry-run for Key Ceremony (if required) for CA and CA
  • 2. Performing a Key Ceremony (if required) for CA and CA and establishing new CA hierarchy
  • 3. Creating test instances of CA and CA private key and public key certificate data (for the period of test use only)
  • 4. Finalising the new CA setup and providing with detailed information on performed activities and verification results in a form of Digi-CAST™ report

• PKI Data Transfer & Existing Information Migration
  • 1. PKI Data Testing
  • 2. Testing existing data
  • 3. Finalising the transfer and providing with detailed information on performed activities and verification results in a form of Digi-CAST™ report

• System Integration & Integration Testing
  • 1. Providing with necessary API integration services for application integration with Digi-CA™ PKI System Registration Authority and Certificate Distribution services
  • 2. Providing with necessary API integration services for application integration for certificate enrolment and installation
  • 3. Providing with necessary API integration services for X.500 directory service integration
  • 4. Providing with necessary API integration services for CRL and OCSP service integration
  • 5. Finalising the integration and providing with detailed information on performed activities and integration results in a form of Digi-CAST™ report

• Disaster Recovery Setup
  • 1. Setup of basic and supplemental PKI services with software and hardware for disaster recovery in computer centres
  • 2. Testing disaster recovery features and performing a disaster recovery simulation tests
  • 3. Finalising the setup and providing with detailed information on performed activities, setup and tests results in a form of Digi-CAST™ report

• Functional, Operational & User Acceptability Testing [UAT]
  • 1. End user key generation, certificate enrolment and installation tests
  • 2. Integration testing for application and Digi-CA™ PKI System Registration Authority Service
  • 3. Integration testing for application and Digi-CA™ PKI System X.500 directory services
  • 4. End user private key and public key certificate usability tests with applications
  • 5. End user public key certificate standard life cycle tests including certificate renewal after certificate expiration
  • 6. End user public key certificate custom life cycle tests including certificate revocation, suspension and de-suspension
  • 7. End user public key certificate life cycle test including certificate re-issuance after certificate revocation
  • 8. Integration testing for application and Digi-CA™ PKI System CRL and OCSP services
  • 9. Finalising the test phase and providing with detailed information on performed activities and test results in a form of Digi-CAST™ report

• Training
  • 1. Provision of comprehensive Digi-CA™ PKI System documentation [5] in digital and paper format
  • 2. CA Administration staff training
  • 3. CA Security Administration staff training
  • 4. RA Administration staff training
  • 5. RA Operation staff training
  • 6. Finalizing the training phase and providing with detailed information on performed activities and test results in a form of Digi-CAST™ report;

• Production Launch
  • 1. Switching CA hierarchy from test to production environment; Estimated time: 1 day
  • 2. Finalizing production launch and providing with detailed information on performed activities along with a summarized report for each phase of the project implementation in a form of Digi-CAST™ report