Some PKI Services installations
manage a large number of certificates and certificates requests. The
following guidelines can help you scale your system to maintain high
performance in a high volume environment.
Guidelines:- Use distribution point CRLs if you will average more than 500
revoked non-expired certificates at any given time. For more information,
see Customizing distribution point CRLs.
- If you anticipate having a large number of certificate requests
pending approval at any given time, implement a PKI exit to automate
the approval process. (For more information, see Customizing with installation exit routines.)
This need arises from the human limitation rather than a technical
one because it becomes nearly impossible to manually approve the requests
when the volume grows too high.
- To prevent name collisions in the LDAP directory, ensure that
the subject distinguished names are unique. This can either be done
by implementing a PKI exit to supply a unique name, or by enforcing
the use of the MAIL= distinguished name attribute
where you require the e-mail address to be unique.
- Queries against the request or ICL database can time out if the
database contains a large number of records. The performance of the
query can be vastly improved by supplying the requestor's name as
additional search criteria if the saved requestor data is meaningful
to your organization and it is recallable. In this case, a PKI exit
can be used to supply a meaningful value, such as a Lotus® Notes® short
name or customer account number.
- Keep the size of the request and ICL databases small by quickly
removing records that are no longer needed. This can be done by setting
low values for the following fields in the ObjectStore section
of the PKI Services configuration
file (pkiserv.conf):
- RemoveCompletedReqs
- RemoveInactiveReqs
- RemoveExpiredCerts