When IT professionals are designing a public key infrastructure (PKI) and deploying certification authorities (CA), a common question is to ask is "What type of performance can I expect?" Of course, this is a difficult question to answer because the actual performance of the computer, the design, the client computers (in many cases), and most certainly all of the network infrastructure comes into play when you try to estimate how long it actually takes to obtain, renew, or validate a certificate from the client perspective. Often, IT Professionals are more concerned with how many requests the CA they implemented can process at any given time. This article is an attempt to help give IT Professionals an idea of what they can expect. The following article will be a collection of performance statistics reported by people with existing CA deployments.


Certificate Services Performance Example 1

Using a 2.4GHz, 4 socket, quad core machine with 64GB with Hyper-V enabled. The virtual machine (VM) host with 10 VMs; each host was assigned a single virtual central processing unit (VCPU) and 6 GB of memory. All 10 VMs were connected to an nCipher netHSM 2000. To generate load, each CA VM was paired with a single Active Directory Domain Services (AD DS) domain controller and five client computers. Each of these were assigned a single VCPU and 2 GB of memory, as well as being separated from the CA by a WAN simulator to added latency and throughput constraints. This was based on an actual customer's network topology. Using a tool to generate load, each client was configured to open 4 request sessions and request 1,000,000 2 KB key certificiates per session.

After less than 24 hours, the CA had issued more than 20 million certificates from the single physical system. The following observations were made during the test:

  • Per VM CPU load was approximately 25% and total host CPU load was about 20%
  • Relatively little memory was required by the CA VMs, even though this was on the high end of anticipated load [density of CA VMs per chassis was to 30:1 (2GB per VM)]
  • The performance bottleneck in this design is the hardware security module (HSM). As the number of CA VMs was increased and stressed, the requests per second per CA fell significantly, from over 100 to  approximately 18 to 20, which means there was a net issuance rate for the entire chassis of  about 200 per second.
  • When investigating the HSM, it became clear that it was the gating component.
  • Note that its 150 request queue on the left is persistently nearly saturated and CPU on the right is pegged at consistently at 85%)
Reference: Scale testing the world’s largest PKI… all running on WS08R2 and Hyper-V
return to contents

Certificate Services Performance Example 2

Provided by a field consultant.

Hardware Specifics

  • Processor: 2xDual-Core AMD Opteron(tm) Processor 2216, 2400 Mhz, 2 Core(s), 2 Logical Processor(s)
  • Installed Physical Memory (RAM): 4.00 GB
  • Hard drives: 8x136GB SCSI drives (1 drive for OS, 7 drives in RAID0 for DB storage)

CA Statistics

  • Rows in database: 100,565,869
  • Log files created: 1,462,812, was able to witness roll over to larger filenames
  • DB size: 871 GB (936,160,403,456 bytes)
  • Time to reach 100M rows: ~9.5 days

Certificate Request Statistics

  • Windows Server 2000 Standard Rivest Shamir Adelman (RSA) using the Microsoft Key Service Provider (KSP)
  • 3:1 ratio of issued to pending/failed
  • Requests per second: ~100

<Please, feel free to contribute additional examples and don't worry about formatting, I will watch this article and clean it up as much as I can>
return to contents

Additional References

return to contents