none
Какое максимальное количество сертификатов может хранить центр сертификации? RRS feed

Ответы

  • Вот что нашел:

     

    Enterprise Design for Certificate Services http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/CertificateServices/CrtSevcBP_2.mspx#EMRBG

     

    Scalability

    Capacity planning for certificate services concerns the number of certificates that can be maintained by a CA and the number of certificates that can be issued within a given period of time. A rule of thumb is that an organization should be able to enroll certificates within 12 hours. In other words, you should be able to re-enroll all end-entity certificates within one night after an unplanned CA renewal.

    Utilization of the CA depends on:

    Number of certificate requesters

    Enrollment mechanism

    Validity period of certificates

    For each group with similar certificate requirements (for example, trust levels), a few powerful CAs are preferred over a larger number of less powerful CAs. As the number of CAs increases it becomes more difficult to find out which CA has enrolled a specific end-entity certificate.

    The Windows 2000 CA has been tested to issue more than 7 million certificates, whereas the Windows Server 2003 CA has been tested to issue more than 35 million certificates on a single four-processor, Intel-based computer. The database did not reach its maximum size limit in either of the test scenarios.

    CA scalability differs between stand-alone and enterprise CAs. A stand-alone CA can enroll more certificates within a time period because there is no key recovery functionality, and it does not publish certificates into Active Directory. The performance of an enterprise CA is affected by the domain controller that writes certificate-related data into Active Directory. Also, a user can have no more than 800 certificates at a time. For more information on the limit of certificates in Active Directory, refer to the “Cannot Publish More Than 800 Certificates to Active Directory Objectarticle at the following URL:

    http://support.microsoft.com/default.aspx?scid=282088

     

    Эта статья не открылась ))

    Performance

    "An individual departmental certification authority running on a server with a dual processor and 512 MB of RAM can issue more than 2 million standard key length certificates per day. Even with an unusually large CA key, a single stand-alone CA with the appropriate hardware is capable of issuing more than 750,000 user certificates per day."

    This quote is taken from the "Designing a Public Key Infrastructure" document on TechNet, which contains a great deal of helpful information. The document is available at the following URL:

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/a4c32629-5c61-4726-b1ac-542ebd06534d.mspx 

     

    2008-й, я думаю, не хуже )))

     

    В любом случае, если упрётесь, есть подчиненные CA и групповые политики для распределения запросов на получение сертификатов.

    • Предложено в качестве ответа Eugene M' 17 февраля 2009 г. 15:41
    • Помечено в качестве ответа Vinokurov Yuriy 17 августа 2009 г. 12:33
    1 сентября 2008 г. 10:16

Все ответы

  • Я не видел таких цифр. Если учесть, что CA расчитан на обслуживание AD, которая масштабируется до десятков тысяч учетных записей, то каких-то ограничений реализации не должно быть.

    Другое дело фактическая производительность. Она безусловно есть, т.е. хранилище сертификатов это Jet база данных. Более того есть ограничение на число одновременных сессий. Для Windows 2003 это было 20 сессий плюс возможность увеличения до 30 (и даже более). Полагаю в Windows 2008 это не сильно изменилось, если изменилось.

    1 сентября 2008 г. 9:27
    Модератор
  • Вот что нашел:

     

    Enterprise Design for Certificate Services http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/CertificateServices/CrtSevcBP_2.mspx#EMRBG

     

    Scalability

    Capacity planning for certificate services concerns the number of certificates that can be maintained by a CA and the number of certificates that can be issued within a given period of time. A rule of thumb is that an organization should be able to enroll certificates within 12 hours. In other words, you should be able to re-enroll all end-entity certificates within one night after an unplanned CA renewal.

    Utilization of the CA depends on:

    Number of certificate requesters

    Enrollment mechanism

    Validity period of certificates

    For each group with similar certificate requirements (for example, trust levels), a few powerful CAs are preferred over a larger number of less powerful CAs. As the number of CAs increases it becomes more difficult to find out which CA has enrolled a specific end-entity certificate.

    The Windows 2000 CA has been tested to issue more than 7 million certificates, whereas the Windows Server 2003 CA has been tested to issue more than 35 million certificates on a single four-processor, Intel-based computer. The database did not reach its maximum size limit in either of the test scenarios.

    CA scalability differs between stand-alone and enterprise CAs. A stand-alone CA can enroll more certificates within a time period because there is no key recovery functionality, and it does not publish certificates into Active Directory. The performance of an enterprise CA is affected by the domain controller that writes certificate-related data into Active Directory. Also, a user can have no more than 800 certificates at a time. For more information on the limit of certificates in Active Directory, refer to the “Cannot Publish More Than 800 Certificates to Active Directory Objectarticle at the following URL:

    http://support.microsoft.com/default.aspx?scid=282088

     

    Эта статья не открылась ))

    Performance

    "An individual departmental certification authority running on a server with a dual processor and 512 MB of RAM can issue more than 2 million standard key length certificates per day. Even with an unusually large CA key, a single stand-alone CA with the appropriate hardware is capable of issuing more than 750,000 user certificates per day."

    This quote is taken from the "Designing a Public Key Infrastructure" document on TechNet, which contains a great deal of helpful information. The document is available at the following URL:

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/a4c32629-5c61-4726-b1ac-542ebd06534d.mspx 

     

    2008-й, я думаю, не хуже )))

     

    В любом случае, если упрётесь, есть подчиненные CA и групповые политики для распределения запросов на получение сертификатов.

    • Предложено в качестве ответа Eugene M' 17 февраля 2009 г. 15:41
    • Помечено в качестве ответа Vinokurov Yuriy 17 августа 2009 г. 12:33
    1 сентября 2008 г. 10:16