Below are some numbers we have measured when testing the Windows CA in our lab environment.
Note that the numbers will change and depends on many factors (network topology, request types, other server workloads, etc.) However, the numbers are a good starting point for capacity planning and can later be verified in pre-production environment.
· CAPI software RSA 2048
· Enterprise CA (dedicated machine)
· Rack Server: 7900$ Mid 2007:
o 4 GB RAM
o 146 GB x 8 10K RPM 4.1MS Serial Attached SCSI
· Results are ~125 req/sec (no archived keys)
· Processing time ~250mS (server time)
· CAPI RSA 1024
· Enterprise CA (dedicated machine) – 500 DB sessions
o Dual proc: Dual-Core
· 146 GB x 8 10K RPM 4.1MS Serial Attached SCSI
· Results are ~155 req/sec (no archived keys)
· Processing time ~250mS – server time
· CNG 2K key
· Rack Server:
o 8x136GB SCSI drives (1 drive for OS, 7 drives in RAID0 for DB storage)
· Rows in database: 100565869
· Log files created: 1462812, was able to witness roll over to larger filenames
· DB size: 871 GB (936,160,403,456 bytes)
· Time to reach 100M rows: ~9.5 days (~125 req/sec)
How did we test?
Here are some details on how we are submitting the requests during our performance tests.
The key is to get enough data to load the CA service to an upper bound (80 to 90% CPU utilization).
Certreq.exe will work because the client will be spending too much time generating the key, generating the request, etc…
1) CA Config:
a. CA DBSessions is configured to 500 (from default of 100)
b. For Enterprise CA tests, template is modified to remove "publish cert to AD”
2) Cert Request:
a. Private Key generated once
b. Use X509Enrollment API to initialize and create request
c. Submit request via ICertRequest2::Submit API
3) Machine Topology:
a. 1 – DC
b. 1 – CA
c. 4 – Client machines
i. Each client machine hosts 50 users
ii. Each user submits 100000 pre-generated cert requests