Signserver key generation increasing time #70
Unanswered
danilozacyac
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
I'm using SignServer to include digital signatures within a onboarding process. The integration is complete and I'm able to generate keys that are signed through EJBCA and then import them to Signserver so the user can do the signature process.
However, as the number of keys are store into the Crypto Token the time for the key generation increase and we can go from 3 seconds in the complete process to more than 30 seconds when we have something like 30 keys into the CryptoToken. After log review we confirm that its the process of generating the key the one that's taking most of the time first with the key generation and the with the certificate import.
I'm doing all the call by the web service. Am I doing something wrong? Is there another approach?
Here are the logs of the process with an empty Crypto and one with 80 keys:
Empty crypto
2024-01-09 23:55:09.781 +00:00 [INF] Starting Subject Registry OSC: 65297367cf5d6e9cd8a15a84
2024-01-09 23:55:09.844 +00:00 [INF] Name CA used: aesMXIssuing
2024-01-09 23:55:09.907 +00:00 [INF] GetTokenId - Time in seconds:0
2024-01-09 23:55:09.907 +00:00 [INF] Generate signer key in SignServer: 186CEBBB24EF48CDA557DD2DA8F0393E
2024-01-09 23:55:11.923 +00:00 [INF] Generate signer key successfully - Time in seconds:2
2024-01-09 23:55:11.923 +00:00 [INF] Get certificate request for alias in SignServer (CSR)
2024-01-09 23:55:12.875 +00:00 [INF] Cert req info: {"attributes":null,"signatureAlgorithm":"SHA256WithRSA","subjectDN":"CN=Subject Name,O=Organization,OU=Org,emailAddress=test@test.net,C=MEX,organizationIdentifier=8175c300-7997-47f6-8011-116d3ac0bbed,serialNumber=65297367cf5d6e9cd8a15a84"}
2024-01-09 23:55:12.875 +00:00 [INF] Base64 Cert Req: Base 64 Req
2024-01-09 23:55:12.875 +00:00 [INF] Generate Cert REQ Info - Time in seconds:0
2024-01-09 23:55:12.875 +00:00 [INF] Search username in CA
2024-01-09 23:55:12.907 +00:00 [INF] Post Rest API EJBCA:ejbca/ejbca-rest-api/v1/endentity/search
2024-01-09 23:55:12.970 +00:00 [INF] Responde Rest API EJBCA:ejbca/ejbca-rest-api/v1/endentity/search {"end_entities":[{"username":"65297367cf5d6e9cd8a15a84","dn":"E=test@test.net,CN=Subject Name,SN=65297367cf5d6e9cd8a15a84,OU=Org,organizationIdentifier=5f7a190d-72dc-45ef-8176-9548f356dda6,O=Organization,C=MEX","subject_alt_name":"","email":null,"status":"GENERATED","token":"USERGENERATED","extension_data":null}],"more_results":false}
2024-01-09 23:55:12.970 +00:00 [INF] Search username in CA - Time in seconds:0
2024-01-09 23:55:12.970 +00:00 [INF] Edit username in CA change token type to USERGENERATED
2024-01-09 23:55:13.300 +00:00 [INF] Name CA used: aesMXIssuing
2024-01-09 23:55:13.300 +00:00 [INF] Edit username successfully
2024-01-09 23:55:13.300 +00:00 [INF] Send cert req and get certificate signature - certificate chain
2024-01-09 23:55:13.319 +00:00 [INF] POST REST API EJBCA:ejbca/ejbca-rest-api/v1/certificate/certificaterequest:
2024-01-09 23:55:13.539 +00:00 [INF] RESPONSE REST API EJBCA:ejbca/ejbca-rest-api/v1/certificate/certificaterequest {"certificate":" base 64 certificate","serial_number":"2E146DBF5947EEA8C5271E515C605F22A5CC18A8","response_format":"DER","certificate_chain":["Base 64 certificate"]}
2024-01-09 23:55:13.539 +00:00 [INF] SubRegistryOSC and Get Certificate Signature - Time in seconds:0
2024-01-09 23:55:13.539 +00:00 [INF] Generate list certificate signature and certificate chain
2024-01-09 23:55:13.539 +00:00 [INF] Import certificate signature and certificat chain
2024-01-09 23:55:14.329 +00:00 [INF] Import Certificate Signature and Certificate Chain - Time in seconds:0
2024-01-09 23:55:14.329 +00:00 [INF] Subject Registry OSC: 65297367cf5d6e9cd8a15a84 succeassfully
2024-01-09 23:55:14.329 +00:00 [INF] Successfully Registry OSC - Time in seconds:4
Crypto with 80 keys
2024-01-09 06:10:57.710 +00:00 [INF] Starting Subject Registry OSC: 6593929cda78213c5cf64b99
2024-01-09 06:10:57.778 +00:00 [INF] Name CA used: aesMXIssuing
2024-01-09 06:10:57.842 +00:00 [INF] GetTokenId - Time in seconds:0
2024-01-09 06:10:57.842 +00:00 [INF] Generate signer key in SignServer: 4501BC336DE74CFBB5B2331CA139E20F
2024-01-09 06:11:08.460 +00:00 [INF] Generate signer key successfully - Time in seconds:10
2024-01-09 06:11:08.460 +00:00 [INF] Get certificate request for alias in SignServer (CSR)
2024-01-09 06:11:13.305 +00:00 [INF] Cert req info: {"attributes":null,"signatureAlgorithm":"SHA256WithRSA","subjectDN":"CN=Subject Name,O=Organization,OU=Org,emailAddress=test@test.net,C=MEX,organizationIdentifier=17bf262b-a970-464d-abc5-cfd4fd503eeb,serialNumber=6593929cda78213c5cf64b99"}
2024-01-09 06:11:13.330 +00:00 [INF] Base64 Cert Req: Base 64 Req
2024-01-09 06:11:13.330 +00:00 [INF] Generate Cert REQ Info - Time in seconds:4
2024-01-09 06:11:13.330 +00:00 [INF] Search username in CA
2024-01-09 06:11:13.368 +00:00 [INF] Post Rest API EJBCA:ejbca/ejbca-rest-api/v1/endentity/search
2024-01-09 06:11:13.448 +00:00 [INF] Responde Rest API EJBCA:ejbca/ejbca-rest-api/v1/endentity/search {"end_entities":[],"more_results":false}
2024-01-09 06:11:13.448 +00:00 [INF] Search username in CA - Time in seconds:0
2024-01-09 06:11:13.448 +00:00 [INF] Does not exist username in CA
2024-01-09 06:11:13.448 +00:00 [INF] Adding new username in CA
2024-01-09 06:11:13.463 +00:00 [INF] Post Rest API EJBCA:ejbca/ejbca-rest-api/v1/endentity
2024-01-09 06:11:13.495 +00:00 [INF] Response Rest API EJBCA:ejbca/ejbca-rest-api/v1/endentity
2024-01-09 06:11:13.495 +00:00 [INF] Name CA used: aesMXIssuing
2024-01-09 06:11:13.495 +00:00 [INF] Username: 6593929cda78213c5cf64b99 successfully added
2024-01-09 06:11:13.495 +00:00 [INF] Send cert req and get certificate signature - certificate chain
2024-01-09 06:11:13.511 +00:00 [INF] POST REST API EJBCA:ejbca/ejbca-rest-api/v1/certificate/certificaterequest:
2024-01-09 06:11:13.907 +00:00 [INF] RESPONSE REST API EJBCA:ejbca/ejbca-rest-api/v1/certificate/certificaterequest {"certificate": "base 64 certificate" ,"serial_number":"231004DB72EBC5C8EF9360C544A66AED45803E6D","response_format":"DER","certificate_chain": ["base64 certificate"]}
2024-01-09 06:11:13.907 +00:00 [INF] SubRegistryOSC and Get Certificate Signature - Time in seconds:0
2024-01-09 06:11:13.907 +00:00 [INF] Generate list certificate signature and certificate chain
2024-01-09 06:11:13.907 +00:00 [INF] Import certificate signature and certificat chain
2024-01-09 06:11:27.931 +00:00 [INF] Import Certificate Signature and Certificate Chain - Time in seconds:14
2024-01-09 06:11:27.931 +00:00 [INF] Subject Registry OSC: 6593929cda78213c5cf64b99 succeassfully
2024-01-09 06:11:27.931 +00:00 [INF] Successfully Registry OSC - Time in seconds:30
Beta Was this translation helpful? Give feedback.
All reactions