Performance Impact

Perform necessary actions to ensure that no_store=false is applied only to non-ACME roles, configure short certificate lifetimes, and use BYOC revocations to effectively manage certificate cleanup.

This health check identifies roles where no_store is explicitly set to false, which can lead to performance degradation if certificate volumes are high and CRL auto-rebuilding is not enabled.

Health Check Name: role_no_store_false

Accessed APIs

Method

Endpoint

Description

LIST

/roles

Lists all configured roles.

READ

/roles/:name

Reads the configuration for a specific role.

LIST

/certs

Lists all certificates issued.

READ

/config/crl

Reads the CRL configuration.

Configuration Parameters

Parameter

Type

Default

Description

allowed_roles

list

nil

A list of role names to exclude from this health check.

Health Check Results

Check Criteria

Description

no_store=false

If a role has no_store explicitly set to false, vHSM issues a warning. This can negatively impact performance, especially when managing a large number of certificates and when CRL auto-rebuilding is not enabled.

Recommended Actions

Update non-ACME roles to use no_store=false. Note: ACME roles must have no_store=true.
Set certificate lifetimes as short as possible to reduce the load on CRL and storage systems.
Use Bring Your Own Certificate (BYOC) revocations to revoke certificates proactively when necessary.

PreviousRole Allows Glob-Based Wildcard Issuance NextAccessibility of Audit Information

Last updated 2 months ago

Was this helpful?

Performance Impact

Perform necessary actions to ensure that no_store=false is applied only to non-ACME roles, configure short certificate lifetimes, and use BYOC revocations to effectively manage certificate cleanup.

This health check identifies roles where no_store is explicitly set to false, which can lead to performance degradation if certificate volumes are high and CRL auto-rebuilding is not enabled.

Health Check Name: role_no_store_false

Accessed APIs

Method

Endpoint

Description

LIST

/roles

Lists all configured roles.

READ

/roles/:name

Reads the configuration for a specific role.

LIST

/certs

Lists all certificates issued.

READ

/config/crl

Reads the CRL configuration.

Configuration Parameters

Parameter

Type

Default

Description

allowed_roles

list

nil

A list of role names to exclude from this health check.

Health Check Results

Check Criteria

Description

no_store=false

Recommended Actions

Update non-ACME roles to use no_store=false. Note: ACME roles must have no_store=true.
Set certificate lifetimes as short as possible to reduce the load on CRL and storage systems.
Use Bring Your Own Certificate (BYOC) revocations to revoke certificates proactively when necessary.

PreviousRole Allows Glob-Based Wildcard Issuance NextAccessibility of Audit Information

Last updated 2 months ago

Was this helpful?