Balancing Client Ocsp Requests - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Chapter 5. Planning the Certificate System
Another option, though is to distribute some of the tasks of a single CA to another subsystem. For
example, Example Corp. has a manageable number of people requesting certificates for a single
CA to issue. However, because of their security policies, each certificate request has to be verified
in person by an agent, with supporting documentation. This creates a bottleneck for the CA agents
to approve requests. A registration authority (RA) is installed at each local office; the requests are
processed and approved locally, and then a central CA issues all of the certificates.
Figure 5.3. CA and RA
The Registration Manager takes the load of processing certificate requests; the CA then only has to
issue the requests. For network environments where there are strict, and possibly time-consuming,
rules for issuing certificates, an RA can speed the process while also give control to local managers
and administrators.
RA managers are also good for certain network demands. CAs require a very high degree of both
physical security and network security because of the sensitive nature of the information they contain.
RAs can be placed outside of a firewall so that regular users can connect to them and can be stored in
less secure locations because they do not process or contain sensitive data.

5.1.4. Balancing Client OCSP Requests

If a certificate is within its validity period but needs be invalidated, it can be revoked. A Certificate
Manager can publish lists of revoked certificates, so that when a client needs to verify that a certificate
is still valid, it can check the list. These requests are online certificate status protocol requests,
meaning that they have a specific request and response format. The Certificate Manager has a built-in
OCSP responder so that it can verify OCSP requests by itself.
However, as with certificate request traffic, a site may have a significant number of client requests to
verify certificate status. Example Corp. has a large web store, and each customer's browser tries to
verify the validity of their SSL certificates. Again, the CA can handle issuing the number of certificates,
but the high request traffic affects its performance. In this case, Example Corp. uses the external
OCSP Manager subsystem to verify certificate statuses, and the Certificate Manager only has to
publish updated CRLs every so often.
58