Scaling for high volume installations

Some PKI Services installations manage many certificates and certificates requests. The following guidelines can help you scale your system to maintain high performance in a high volume environment.

Guidelines:
  1. Use distribution point CRLs if you average more than 500 revoked non-expired certificates at any given time. For more information, see Customizing distribution point CRLs.
  2. If you anticipate having many certificate requests pending approval at any given time, implement a PKI exit to automate the approval process. (For more information, see Customizing with installation exit routines.) This need arises from the human limitation rather than a technical one because it becomes nearly impossible to manually approve the requests when the volume grows too high.
  3. To prevent name collisions in the LDAP directory, ensure that the subject distinguished names are unique. This can either be done by implementing a PKI exit to supply a unique name, or by enforcing the use of the MAIL= distinguished name attribute where you require the email address to be unique.
  4. Queries against the request or ICL database can time out if the database contains many records. The performance of the query can be vastly improved by supplying the requester's name as additional search criteria if the saved requester data is meaningful to your organization and it is recallable. In this case, a PKI exit can be used to supply a meaningful value, such as a Lotus® Notes® short name or customer account number.
  5. Keep the size of the request and ICL databases small by quickly removing records that are no longer needed. This can be done by setting low values for the following fields in the ObjectStore section of the PKI Services configuration file (pkiserv.conf):
    • RemoveCompletedReqs
    • RemoveInactiveReqs
    • RemoveExpiredCerts
Parent topic: Advanced customization