Evaluating CA Capacity, Performance, and Scalability

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Organizations must agree upon a definition of acceptable CA performance. To determine the appropriate number of CAs and the best configuration for your CA infrastructure, you need to evaluate and address the factors in your organization that impact CA capacity, performance, and scalability. These include:

  • The number of certificates that you need to issue and renew.

  • The key lengths of the issuing CA certificates.

  • The type of hardware that is used for your CAs.

  • The number and configuration of the client computers that you need to support.

  • The quality of your network connections.

A stand-alone Windows Server 2003 CA supports more than 35 million certificates per physical CA without any degradation of performance.

An individual departmental certification authority running on a server with a dual processor and 512 megabytes (MB) of RAM can issue more than 2 million standard-key-length certificates per day. Even with an unusually large CA key, a single stand-alone CA with the appropriate hardware is capable of issuing more than 750,000 user certificates per day.

Using a greater number of small CAs with strategically located CRL distribution points reduces the risk that your organization might be forced to revoke and reissue all its certificates if a large CA is compromised. However, using a greater number of CAs might increase your administrative overhead.

For many organizations, the primary limitations to CA performance are the amount of physical storage available and the quality of the clients’ network connectivity to the CA. If too many clients attempt to access your CA over slow network connections, autoenrollment requests can be delayed.

Another significant factor is the number of roles that a CA server performs on the network. If a CA server is operating in more than one capacity in the network — for example, if it also functions as a domain controller — it can negatively impact the capacity and performance of the CA. It can also complicate the delegation of administration for the CA server. For this reason, unless your organization is extremely small, use your CAs only to issue certificates.

Some hardware components impact PKI capacity and performance more than others. When you are selecting the server hardware for your CAs, consider the following:

  • Number of CPUs. Large CA key sizes require more CPU resources. The greater the number of CPUs, the better the performance of the CA. CPU power is the most critical resource for a Windows Server 2003 certification authority.

    Note

    • Because of the architecture of their databases, Windows Server 2003 certification authorities are CPU-intensive and use a substantial amount of the disk subsystem. However, other hardware resources can also impact the performance of a CA when the system is put under stress.

  • Disk performance. In general, a high-performance disk subsystem allows for a faster rate of certificate enrollment. However, key length impacts disk performance. With a shorter CA key length, the CPU has fewer calculations to perform and, therefore, it can complete a large number of operations. With longer CA keys, the CPU needs more time to issue a certificate and this results in a smaller number of disk input/output (IO) operations per time interval.

  • Number of disks. You can improve performance slightly by using separate physical disks for the database and log files. You can improve performance significantly by placing the database and log files on RAID or striped disk sets. In general, the drive that contains the certification authority database is used more than the drive hosting the log file.

    Note

    • Using separate logical disks does not provide any performance advantages.

  • Amount of memory. The amount of memory that you use does not have a significant impact on CA performance, but must meet general system requirements

  • Hard disk capacity. Certificate key length does not affect the size of an individual database record. Therefore, the size of the CA database increases linearly as more records are added. In addition, the higher the capacity of the hard disk, the greater the number of certificates that a CA can issue.

    Tip

    • Plan for your hard disk requirements to grow over time. In general, every certificate that you issue requires 17 kilobytes (KB) in the database and 15 KB in the log file.

The type of hardware that your clients use can also impact performance. When you are selecting or evaluating the capabilities of the hardware for your CA clients, consider the following:

  • Key length. The greater the key length of a requested certificate, the greater the impact on the CPU of the server hosting the CA.

  • Network bandwidth. Assuming that the CA is not serving in more than one capacity, a 100-megabit network connection is sufficient to prevent performance bottlenecks.

As you plan your CA infrastructure, you also need to ensure that your design is flexible enough to accommodate changes to your organization. For example, you need to be able to accommodate:

  • Changes in the functionality that you require from your public key infrastructure.

  • Growth or decline in demand for certificates.

  • The addition or removal of locations that CAs need to serve.

  • The effect of revocation. Revoking large numbers of certificates can take several minutes and increase the size of the database.

Using multiple CAs is an excellent way to ensure that your infrastructure can support enterprise scalability. The use of multiple CAs, even for organizations with minimal certificate requirements, provides the following advantages:

  • Greater reliability. If you need to take an individual CA offline for maintenance or backup, another CA can service its requests.

  • Scalability. Increases in demand, either from new users or from new applications, can be accommodated more easily.

  • Distributed administration. Many organizations distribute security administration across a number of IT administrators to prevent one individual or team from controlling the entire security technology infrastructure of the organization.

  • Improved availability. Users in remote offices can access a CA that is local to them rather than accessing a CA across slow Wide Area Network (WAN) links.

Note

  • You can reorganize your CA infrastructure by adding or removing a CA and its associated users from a CA hierarchy. However, you cannot move a subset of users on a single CA to a new CA without forcing the users to re-enroll with the new CA.