Posts on this page:
| Original URL: | https://blogs.technet.microsoft.com/pki/2010/03/08/what-ca-types-are-supported-for-clustering/ |
| Post name: | What CA types are supported for clustering? |
| Original author: | MS2065 [MSFT] |
| Posting date: | 2010-03-08T11:37:57+00:00 |
There are two types of certification authorities: Standalone and Enterprise. Only Enterprise certification authorities have been tested for clustered installations.
A very short but may be important statement.
| Original URL: | https://blogs.technet.microsoft.com/pki/2010/02/10/whitepaper-hspd-12-logical-access-authentication-and-active-directory-domains/ |
| Post name: | Whitepaper “HSPD-12 Logical Access Authentication and Active Directory Domains” |
| Original author: | MS2065 [MSFT] |
| Posting date: | 2010-02-10T14:48:20+00:00 |
This document explains the interdependencies between Active Directory Domain Services (AD DS) and Public Key Infrastructure (PKI) related to Homeland Security Presidential Directive 12 (HSPD-12) smart card logon. Topics concerning the Federal PKI Common Policy Root certificate, Extended Key Usage (EKU) requirements and validation of Personal Identity Verification (PIV) authentication certificates for smart card logon are addressed. This document is written for enterprise information technology professionals who are planning or implementing PIV-II smart card logon in accordance with the HSPD-12 directive. It is assumed that the audience for this document has basic knowledge of Public Key Infrastructure and Smart Card concepts.
| Original URL: | https://blogs.technet.microsoft.com/pki/2010/01/11/windows-ca-performance-numbers/ |
| Post name: | Windows CA Performance Numbers |
| Original author: | oshekel |
| Posting date: | 2010-01-11T21:38:00+00:00 |
Below are some numbers we have measured when testing the Windows CA in our lab environment.
Note that the numbers will change and depends on many factors (network topology, request types, other server workloads, etc.) However, the numbers are a good starting point for capacity planning and can later be verified in pre-production environment.
· CAPI software RSA 2048
· Enterprise CA (dedicated machine)
· Rack Server: 7900$ Mid 2007:
o Dual-Core
o 4 GB RAM
o 146 GB x 8 10K RPM 4.1MS Serial Attached SCSI
· Results are ~125 req/sec (no archived keys)
· Processing time ~250mS (server time)
· CAPI RSA 1024
· Enterprise CA (dedicated machine) – 500 DB sessions
· Rack Server: 7900$ Mid 2007:
o x64
o Dual proc: Dual-Core
o 4 GB RAM
· 146 GB x 8 10K RPM 4.1MS Serial Attached SCSI
· Results are ~155 req/sec (no archived keys)
· Processing time ~250mS – server time
· CNG 2K key
· Rack Server:
o Dual proc: Dual-Core
o 4 GB RAM
o 8x136GB SCSI drives (1 drive for OS, 7 drives in RAID0 for DB storage)
· Rows in database: 100565869
· Log files created: 1462812, was able to witness roll over to larger filenames
· DB size: 871 GB (936,160,403,456 bytes)
· Time to reach 100M rows: ~9.5 days (~125 req/sec)
How did we test?
Here are some details on how we are submitting the requests during our performance tests.
The key is to get enough data to load the CA service to an upper bound (80 to 90% CPU utilization).
Certreq.exe will work because the client will be spending too much time generating the key, generating the request, etc…
1) CA Config:
a. CA DBSessions is configured to 500 (from default of 100)
b. For Enterprise CA tests, template is modified to remove "publish cert to AD”
2) Cert Request:
a. Private Key generated once
b. Use X509Enrollment API to initialize and create request
c. Submit request via ICertRequest2::Submit API
3) Machine Topology:
a. 1 – DC
b. 1 – CA
c. 4 – Client machines
i. Each client machine hosts 50 users
ii. Each user submits 100000 pre-generated cert requests
| Original URL: | https://blogs.technet.microsoft.com/pki/2010/01/10/clustered-certification-authority-maintenance-tasks/ |
| Post name: | Clustered Certification Authority maintenance tasks |
| Original author: | MS2065 [MSFT] |
| Posting date: | 2010-01-10T06:22:42+00:00 |
The colleagues from the AskDS blog posted a quite valuable article about Clustered CA maintenance tasks.
| Original URL: | https://blogs.technet.microsoft.com/pki/2009/12/21/server-2008-r2-adcs-migration-guide-beta/ |
| Post name: | Server 2008 R2 ADCS Migration Guide Beta |
| Original author: | ltalbot |
| Posting date: | 2009-12-21T16:25:00+00:00 |
The beta version of the new 2008 R2 ADCS Migration Guide is now available at http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx.
The guide describes the necessary steps for a successful migration of enterprise or standalone CAs from Windows Server 2003 and Windows Server 2008 to Windows Server 2008 R2. Also included are steps for migration to Server Core.
This isa beta release and customer feedback would be greatly appreciated in in order to ensure the final release is all it can be. The final version is scheduled for release in March 2010. Feedback instructions are provided on the page.
