Windows CA Performance Numbers

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on TECHNET on Jan 11, 2010

Below are some numbers we have measured when testing the Windows CA in our lab environment.


Note that the numbers will change and depends on many factors (network topology, request types, other server workloads, etc.) However, the numbers are a good starting point for capacity planning and can later be verified in pre-production environment.


Windows 2008 RTM: CA throughput with 2K RSA key


· CAPI software RSA 2048


· Enterprise CA (dedicated machine)


· Rack Server: 7900$ Mid 2007:


o Dual-Core


o 4 GB RAM


o 146 GB x 8 10K RPM 4.1MS Serial Attached SCSI


· Results are ~125 req/sec (no archived keys)


· Processing time ~250mS (server time)


Windows 2008 RTM: CA throughput with 1K RSA key


· CAPI RSA 1024


· Enterprise CA (dedicated machine) – 500 DB sessions


· Rack Server: 7900$ Mid 2007:


o x64


o Dual proc: Dual-Core


o 4 GB RAM


· 146 GB x 8 10K RPM 4.1MS Serial Attached SCSI


· Results are ~155 req/sec (no archived keys)


· Processing time ~250mS – server time


Windows 2008 R2 RTM: CA Database scalability testing


· CNG 2K key


· Rack Server:


o Dual proc: Dual-Core


o 4 GB RAM


o 8x136GB SCSI drives (1 drive for OS, 7 drives in RAID0 for DB storage)


· Rows in database: 100565869


· Log files created: 1462812, was able to witness roll over to larger filenames


· DB size: 871 GB (936,160,403,456 bytes)


· Time to reach 100M rows: ~9.5 days (~125 req/sec)


How did we test?


Here are some details on how we are submitting the requests during our performance tests.


The key is to get enough data to load the CA service to an upper bound (80 to 90% CPU utilization).


Certreq.exe will work because the client will be spending too much time generating the key, generating the request, etc…


1) CA Config:


a. CA DBSessions is configured to 500 (from default of 100)


b. For Enterprise CA tests, template is modified to remove "publish cert to AD”


2) Cert Request:


a. Private Key generated once


b. Use X509Enrollment API to initialize and create request


c. Submit request via ICertRequest2::Submit API


3) Machine Topology:


a. 1 – DC


b. 1 – CA


c. 4 – Client machines


i. Each client machine hosts 50 users


ii. Each user submits 100000 pre-generated cert requests


Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.