PKI - Certification Authority: IssuingCA Best Practice

49885604 145 Reputation points
2024-03-15T22:13:02.4533333+00:00

Good evening everyone,

I would need to know if there is a Best Practice regarding the number of certificates that an Issuing CA should sign and the size of its internal database.

I have an Issuing CA that enrolls certificates for Users, Computers and Mobile Devices, the database exceeds 40GB and I need to understand whether to review my Issuing CA to give less impact to the resources and in case of Recovery.

Kind regards and thanks in Advance,

Alessio.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,568 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,564 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,516 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,149 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 20,791 Reputation points Microsoft Vendor
    2024-03-18T02:58:39.5733333+00:00

    Hello 49885604,

    Thank you for posting in Q&A forum.

    the number of certificates that an Issuing CA should sign
    A: After my research, it seems the certificate number that an issuing CA issued is very big.

    Similar thread for your reference:

    https://security.stackexchange.com/questions/202686/maximum-number-of-certificates-generated-by-a-ca#:~:text=What%20is%20the%20maximum%20number%20of%20certificates%20that,be%20unique%20for%20each%20issuer%20%2F%20serial%20pair.

    the size of its internal database.
    A: For the size of one CA database, you can read link below.

    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-case-of-the-enormous-ca-database/ba-p/398226

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. 49885604 145 Reputation points
    2024-03-22T14:53:10.09+00:00

    Thank you @49885604 for your articles and reply.

    Let's say that a 40-50GB database would certainly have impacts on the disk space of the IssuingCA, also causing impacts in terms of resources to the machine. In case of virtual machine we could increase disk size, memory and virtual CPU.

    In the event of a database disaster and restore, it may take a long time to import 50GB of database into a new IssuingCA. Correct?

    What about the possibility of splitting the enrollment of certificates across multiple IssuingCAs? By defining which specific templates do enrollment from one IssuingCA while others from another server!
    Is there a specific best practice about that? Related also to the database increasing!

    Kind regards,

    Alessio.

    0 comments