Too Many Certificates

Take necessary steps to monitor the total number of stored certificates in the vHSM cluster.

This health check monitors the total number of stored certificates in your vHSM cluster. An excessive number of certificates can lead to performance degradation, storage issues, and inefficient certificate management.

Health Check Name:too_many_certs

Accessed APIs

Method

Endpoint

Description

READ

/tidy-status

Checks last tidy operation status

LIST

/certs

Retrieves a list of all stored certs

Configuration Parameters

Parameter

Type

Description

count_warning

int

Warning threshold for certificate count (Default: 50000)

count_critical

int

Critical threshold for certificate count (Default: 250000)

Health Check Behavior

Condition

Status Level

Certificate count > count_warning but < count_critical

Warning

Certificate count ≥ count_critical

Critical

If tidy has not run, vHSM falls back to using a LIST /certs operation to assess certificate count.

Recommended Actions

Verify tidy status:
```
vhsm read <mount>/tidy-status
```

Run a manual tidy operation to clean up stale/expired certs:

vhsm write <mount>/tidy \
    tidy_cert_store=true \
    tidy_revoked_certs=true \
    tidy_acme=true \
    tidy_revocation_queue=true \
    tidy_cross_cluster_revoked_certs=true \
    tidy_revoked_cert_issuer_associations=true

Enable auto-tidy for continuous cleanup and long-term maintenance.
Avoid premature certificate renewals:
- Adjust certificate TTL to reflect realistic usage patterns.
- vHSM automatically renews certificates at ~2/3 of their lifespan, so setting TTLs appropriately can help reduce cert volume.
Set no_store=true for all non-ACME roles where storage isn’t needed:
- Use Bring Your Own Certificate (BYOC) revocation workflows to manage cert lifecycle and avoid unnecessary certificate storage.

PreviousTidy Hasn't Run NextEnable ACME Issuance

Last updated 1 month ago

Was this helpful?