Maximizing Performance

General Performance Tips

Normally in a PKI extreme performance is not really an issue. A default installation of EJBCA can easily issue tenths of certificates per second, which is more than enough even for very large installations. For OCSP it is more important, but OCSP is also more light weight so the default performance there is hundreds of requests per second.

In more specialized PKI installations there can however be the need to issue hundreds of certificates per second. Therefore we provide a list of configuration items that can maximize performance of EJBCA to issue more than 100 certificates per second (depending on hardware etc).

  • Disable logging to database in cesecore.properties, only use Log4jLogDevice. This removes a database insert and gives a big boost.

  • Configure Log4j to log only to file, not console, and use only INFO or ERROR logging, not DEBUG. This can give a small improvement.

  • Disable use of CertReqHistory in CA configuration. This removes a database insert and gives a big boost.

  • Disable finishUser in CA configuration. Verify that this is ok first by reading the documentation for this feature. This can save a database read and update.

  • Enable all caches in cache.properties. If you cache indefinitely you can use the CLI command 'bin/ejbca.sh clearcache' if configuration changes are made. This can give a small improvement. See also info about the clear all caches button.

  • Do not enforce any uniqueness (keys, DN, Subject DN SerialNumber) in CA configuration. This will ensure no extra selects are made and can give a small improvement.

  • Minimize the number of indexes in the database, only use the ones that are absolutely needed. This makes inserts in the database a bit faster and can give additional 10%.

  • Use the native JBoss connectors for http and https. This can give an additional 10%.

  • If you have a lot of certificates (>100M) it might be a good idea to use a separate table for the storage of the encoded certificates. See the database.useSeparateCertificateTable property in ./conf/database.properties.sample

Throw Away CA

EJBCA can be configured to function as a Throw Away CA. In this mode EJBCA simply functions as a high speed certificate factory, issuing certificates but not storing any trace of them in the local database.

Using EJBCA in Throw Away CA-mode curtails some functionality, foremost the following:

  • You cannot search for issued certificates.

  • You cannot enable certain limitations such as Enforce unique DN or Enforce unique public keys.

  • You may revoke certificates. However it requires specific CA configuration and only limited certificate data will be persisted upon revocation. For more information, see Accept Revocations for Non-Existing Entries in CA Fields.

If these limitations are acceptable you can gain some benefits by using Throw Away CA-mode:

  • Maximum performance since no database queries are done. Enable to maximum caching and EJBCA will not make a single call to the database.

  • Minimal storage requirements. Since no issued certificates are stored in the database only EJBCA configuration needs storage.

Limiting Database Query Size

Certain types of queries can, whether intentionally or not, generate massive results. In order to not clog up the database driver, EJBCA has a default maximum value of 500 results for certain tables, which affects the following data sets:

  • Certificates

  • End Entities

  • Hard Token Usernames

You can change the query limit under System Configuration. For safety, there is still a hard upper limit of 25,000 entries.

Limiting Database Query Timeout

Certain types of searches can, whether intentionally or not, generate database heavy queries (even full table scans). In order to not overload the database, EJBCA will try to limit for how long a query is allowed to run for certain searches before aborting. For such limitations to work, both you database and Java DataBase Connector (JDBC) driver must support this. This setting currently affects the following searches:

  • RA GUI Search for certificates

  • RA GUI Search for end entities

You can lower or raise the default of 10000 ms (10 seconds) in the query timeout under System Configuration. Setting the value to 0 means that EJBCA will not try to enforce any query timeout and will default to you application server and database configuration.