Re: [Openca-Users] Very high times issuing certificates with nCipher

Mon, 20 Jun 2005 08:33:02 -0700 

Hi Johnny,

> I have a problem, no matters if we try to issue only
> one certificate, we are experiencing high times of
> issuing. If we issue one certificate it takes about 30
> to 40 seconds for the operation to complete.
>
> Do you know what the problem could be? Do you have the
> same problem? Our old nCipher, a lot slower than the
> new one, used to issue about 20 certificates in one
> minute with a propietary software. Does this have
> relation with the timeout we had to increase to 16 for
> OpenCA to be able to call the nCipher start command?

well, certificate issuance with the nCipher module is not very
fast currently. This is mainly because there are a lots of checks
to be performed prior to issuing a certificate.

Most of the time is spent waiting for some command line tools
to execute, trying to find out if the key is usable.
Unfortunately it is not very easy to find out if a private key
is usable (aka "online) in the nCipher module, so I am doing
some command line magic with the nCipher tools.

In order to speed this up a bit, I already included a caching
mechanism that should return the last known key online state
if the last check was performed within the last n seconds.

I don't currently recall the exact code and I am also quite
busy currently, but I will have a closer look at the code
this week.

I think we could speed it up significantly, but there might
be a tradeoff involved: issuance might fail due to a non-usable
private key. If this is acceptable for you, we might consider
adding an option to turn online checks off.

I'll follow up with my thoughts soon.

cheers

Martin




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to