Hi to all, has anyone succeeded in getting rid of the index.txt "database" of OpenSSL included in OpenCA ? I'm considering doing this and I want to know if anyone else made some experiments on this. Before proceeding in the patch, I'd like to discuss on this: I think the only way to do this is (as suggested in the past) to let OpenSSL use a void index.txt file on the certificate issuing commands and to construct on the fly an index.txt with revoked certificates when OpenSSL is used to issue a CRL. This last thing is possible because OpenCA keeps certificate status in its DB (the index.txt is redundant). In the last months I performed some stress test and I can assure that OpenCA performances decay when you reach 100000 certificates in index.txt, and I'm talking about 8 seconds to issue a certificate. This because OpenSSL scans the text file every time (also if you disable the uniqueDN feature) and moreover it makes a backup copy of index.txt every time it finishes CA operations (copying 29 mega bytes is a bit time spending operation).
Opinions are very appreciated before touching the code :-) -- Diego ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ OpenCA-Devel mailing list OpenCA-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel
