Performance Impact

Perform necessary actions to ensure that no_store=false is applied only to non-ACME roles, configure short certificate lifetimes, and use BYOC revocations to effectively manage certificate cleanup.

This health check identifies roles where no_store is explicitly set to false, which can lead to performance degradation if certificate volumes are high and CRL auto-rebuilding is not enabled.

Health Check Name: role_no_store_false

Accessed APIs

Method
Endpoint
Description

LIST

/roles

Lists all configured roles.

READ

/roles/:name

Reads the configuration for a specific role.

LIST

/certs

Lists all certificates issued.

READ

/config/crl

Reads the CRL configuration.

Configuration Parameters

Parameter
Type
Default
Description

allowed_roles

list

nil

A list of role names to exclude from this health check.

Health Check Results

Check Criteria
Description

no_store=false

If a role has no_store explicitly set to false, vHSM issues a warning. This can negatively impact performance, especially when managing a large number of certificates and when CRL auto-rebuilding is not enabled.

  • Update non-ACME roles to use no_store=false. Note: ACME roles must have no_store=true.

  • Set certificate lifetimes as short as possible to reduce the load on CRL and storage systems.

  • Use Bring Your Own Certificate (BYOC) revocations to revoke certificates proactively when necessary.

Last updated

Was this helpful?