Planning Your Public Key Infrastructure
|
|
Performing Resource Planning
You should estimate the network, computing, and facilities resources required to support the certificate services you intend to deploy in your organization. The total number of resources required can vary considerably depending on the size of your organization and the level and scope of the PKI you deploy.
When estimating resources, consider the resources required to support short-term needs and projected long-term growth of your organization.
The network and computing resources required for deployment include the following:
- Server computers that run certificate services and custom applications
- Cryptographic hardware, such as crypto-accelerator boards
- Hard disk storage for the certificate database and custom applications
- Storage resources for backups of CAs and custom applications
- Disaster recovery resources, such as recovery kits and hot-standby replacement servers
Certificate services performance can vary considerably depending on the following factors:
- Length of the CA key used to sign certificates. The longer the key, the more processing power and time are required to sign a certificate. It should be noted that a signing operation is performed (on the server) once per certificate at the time of issuance, while a verification operation is performed many times throughout the lifetime of a certificate (on the client or another server, depending on the protocol). Note that signing a certificate is more expensive than verifying it.
- Complexity of the certification authority policy module logic used to validate certificate requests. The more complex the policy logic, the longer it takes to process and issue certificates. Most people will find the Windows 2000 enterprise and stand-alone policy module sufficient. If you want to develop a custom policy module, the cost of complexity should be considered both in the policy module and the exit module.
- Performance impact of custom applications. Custom applications affect the overall performance of certificate applications. For example, a certificate enrollment application that uses standard Common Gateway Interface (CGI) scripts can add significant delays to the enrollment process.
The hard disk capacity required to support the certificate databases depends on the following factors:
- How many certificates are issued by the CA. Project how many certificates will be issued for the life of the CA. A CA that issues a large number of certificates or that has a longer lifetime will require a larger certificate database.
- The size of each certificate. The certificate database includes all information in the certificates, including the public keys. Certificates that have larger public keys and that contain additional special information will consume more disk space per certificate issued.
Some large certificate databases might be several gigabytes or more. However, significantly smaller certificate databases are not normally expected to exceed several hundred megabytes in size. You should measure representative certificate database sizes in the lab and then extrapolate future database sizes based on the projected number of certificates you expect each CA to issue in its lifetime.
© 1985-2000 Microsoft Corporation. All rights reserved.