Windows 2008 PKI Disk Size and mixed CA's
Hi, I would like some advice on two things: (1) Within Mr Komar's book, it states that an offline CA should have two partitions, one for the OS and one for the Database and Logs. For an online CA, there are three partitions - Is there any guidance to sizing these disks? I want to put this on a VM and need to know disk sizes. (2) I have a unique problem. I am setting up a Windows 2008 PKI (Three tier model). This will sit within a Windows 2008 domain. The issue I have is that the user issuing CA needs to issue certificates for an extended Windows 2003 domain where the schema cannot be updated due to some red tape. Do I provision a Windows 2003 CA as part of the Windows 2008 PKI or do I need to setup another PKI as part of the Windows 2003 forest and cross-certify with the Windows 2008 forest? Simple would be most preferred.
June 30th, 2010 6:48pm

Each certificate issued by a CA will use ~16KB of disk space in the database. If you are archiving private keys that is an additional 4KB. Take that base figure and multiply by the number of certificates you intend to issue. Then double or triple that number to cover all the scenarios you're not considering now. I've found that about 1 million issued certificates results in a database file size of ~20 GB. In the real world, you'll have failed requests, revoked certificates, and other things that will also take up space in the database but that rough figure should be sufficient. Disk space is very cheap these days; don't be stingy. You should also regularly purge your database of failed requests and expired certificates (certutil -deleterow) and then compact your database with esentutl.exe. You do not need to update the Windows Server 2003 schema in order to deploy a Windows Server 2008 CA. Read here. It is perfectly safe to install a Windows Server 2008 CA in a forest where the shema version is still at 30 (Windows Server 2003). One thing I do want to clarify, however. Enterprise CAs cannot issue certificates to users that belong in other forests. If you've got two domains with two different schema versions, then these two domains must be in different forests. What you'll need to do is install a CA in your extended user forest that is subordinate to the Intermediate CA in your main forest. Hope this helps, Jonathan StephensJonathan Stephens
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2010 9:18pm

Sorry for the late reply (been on annual leave) - Thank you very much....good information!
August 3rd, 2010 6:35pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics