Hello,
we are planning to use OpenCA within our university for about 400 Students.
We�ve done some testing with version 0.9.0, 0.9.1-RC6 and RC7.
Basically everything works. You�ve done a good job :-)
But there are some issues that are still unclear for us.
First, can you give us some reccomendations which components we should use?
* which release of openssl 0.9.7 is known to be relativly bugfree and can be used for
production?
* apache-ssl vs. apache/mod_ssl
* which DB-Backend? Is it enough to run with DB-Files or is it better to use
{MySQL,PostreSQL, ..}
* which version of OpenCA >= 0.9.1 seems adequate for production? It doesn�t have to
be bulletproof,
we only need basic CA-Features which seemed to work well for us since 0.9.1-RC6.
Secondly, we�re worry about some performance issues:
After creating only 30 Certs the export-import files are about 1MB big.
OK, this concerns us not directly because we are working with "scp" rather then
floppys.
How about gzipping the tar-files?
* OpenCA is really slow in some functions. Listing the "Archived Requests" for example
takes
about 20 seconds. In this case we had only 30 Certs. How long will this need with 400?
Our RA runs on an K6-2/400 CPU.
For fun I�ve done some tests with the Perl Profiler:
RAsmus:~# dprofpp tmon.out
Total Elapsed Time = 22.86498 Seconds
User+System Time = 14.99498 Seconds
Exclusive Times
%Time ExclSec CumulS #Calls sec/call Csec/c Name
13.3 2.006 3.482 6593 0.0003 0.0005 Parse::RecDescent::namespace000001
::stringchar
12.7 1.915 7.420 6593 0.0003 0.0011 Parse::RecDescent::namespace000001
::_alternation_1_of_production_1_o
f_rule_string
12.3 1.858 3.216 20867 0.0001 0.0002 Parse::RecDescent::Rule::expected
6.14 0.920 0.755 54901 0.0000 0.0000 Parse::RecDescent::Expectation::at
5.87 0.880 0.817 20864 0.0000 0.0000 Parse::RecDescent::Expectation::new
[...]
Is there a way to speed this up? Maybe with mod_perl?
Finally i wrote a quick and dirty ldap-backend in perl, which inserts
"(userCertificate;binary=*)" in every search. This avoids the users to appear twice
when
using the ldap as address-book.
(http://www.mail-archive.com/[email protected]/msg01896.html)
If someone is interested i�ll post it here.
Thanks in advance
Marco Pfatschbacher
--
Wahrheit ist die Erfindung eines L�gners.
- Heinz von Foerster -
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
