Hi All,
I’m experiencing some performance issues / delays while performing common ADCS tasks/processes on an Enterprise Subordinate CA that has HSM installed to handle the cryptography & key management. The Subordinate CA’s private key was created using the CNG ECDSA_P521. I’m not sure if the higher Eliptical Curve bit size is causing extra processing load and lending to the latency issues I’m experiencing.
Environment:
Two-tier Windows PKI
Offline Standalone Root CA (Server 2012)
Online Enterprise Subordinate CA (Server 2012) HIS IS THE SERVER THAT I’M EXPERIENCING THE BELOW ISSUES ON
Issue #1 – Almost 4 minutes of delay before displaying “Cryptography” tab on the properties of a certificate template
Logged in to the Online Enterprise Subordinate Certificate Authority & launched Certificate Templates Console “certtmpl.msc”
Right-click on ANY version 2 or greater certificate template (same is also true if I create a new template by duplicating an existing template) and select “Properties”
Clicking on the “Cryptography” tab causes the title of the properties box to display “Not Responding”
A long period later (when I timed it this morning it took 3 minutes and 50 seconds) the tab displays normally and I can select the appropriate CSP or CNG
While it is processing/loading (or whatever it’s doing) there are multiple Application event logs (37 log entries on my last attempt) and they all say the same thing (aside from the varying PIDs)
Source: HSMLog, Event ID: 1
Sample log “2014-05-08 15:42:38: HSM server: Notice: CreateClient (v1) pid: 1364, process name: C:\windows\system32\mmc.exe”
Note: I have other Enterprise Subordinate CAs in my domain that don’t use the HSM but show the exact same certificate templates (templates live in the domain). When I go to the Cryptography tab on those other Sub CAs there is almost no delay.
Issue #2 – Longer delay than usual (approximately 35 to 40 seconds) when browsing to https://subca/certsrv
Enrolled a computer certificate for SSL/TLS on the Subordinate CA. Certificate is using CNG ECDH_P384 (not using HSM CNG).
Set the HTTPS binding in IIS to utilize that certificate.
When I browse the web enrollment site “https://subca/certsrv” it asks for my credentials and then it takes 35 to 40 seconds to load the page.
While it is processing/loading (or whatever it’s doing) there are multiple Application event logs (7 log entries on my last attempt) and they all say the same thing (aside from the varying PIDs)
Source: HSMLog, Event ID: 1
Sample log “2014-05-08 15:59:14: HSM server: Notice: CreateClient (v1) pid: 3860, process name: c:\windows\system32\inetsrv\w3wp.exe”
Note: Using the same certificate template I’ve enrolled certificates on other servers using SSL/TLS and another Subordinate CA that is not using the HSM and has the certificate web enrollment site. On the other servers the page comes up quickly with no delays.
Can any one just me some solution for the above 2 issues which can help me to solve the problem.