A certificate system provides a security framework to ensure that network resources are accessed by authorized users. The certificate system is capable of generating digital certificates for different users to verify the identity of a presenter. The certificate system can include a Certificate Authority (CA) subsystem to issue and revoke certificates. Revoked certificates are certificates that are no longer valid and should no longer be relied upon. A certificate revocation list (CRL) is a list of the revoked certificates.
Prior to installation of the CA servers, a system administrator can determine the number of CA servers to deploy for a certificate system. Typically, a system administrator can estimate a relationship between the number of certificates issued by a CA server and the number of certificates that are revoked by the CA server. For example, a system administrator may estimate that a CA server may revoke ten percent of the issued certificates. A system administrator can use this relationship to determine the number of CA servers for deployment. For example, a system administrator may determine that the size of a CRL for a CA server is 2.5 million revoked certificates and thus, the CA server is capable of issuing up to 25 million certificates. If the system administrator needs to build a certificate system capable of issuing 100 million certificates, the system administrator can deploy four CA servers.
The generation of a CRL consumes much of a CA server's resources. Once a system administrator can confirm the size of a CRL for a CA server, the system administrator can have confidence that a CA server can issue and revoke certificates based on the size of the CRL. Therefore, a system administrator, typically, first determines the size of a CRL for a CA server. The system administrator can determine the size of a CRL for a CA server by manually simulating real world application of a CA server. For example, a system administrator can take up to one week to generate 50 million certificates on a CA server and attempt to generate a CRL. The generated CRL may include 3 million certificates. The system administrator can use the user-defined relationship, such as ten percent, to determine that this CA server, which can support a CRL of up to 3 million revoked certificates, can issue up to 30 million certificates. If the system administrator needs a configuration to support 100 million certificates, the system administrator can plan to deploy at least four CA servers. Planning for deployment, however, may be an arduous and time-consuming process. System administrators may not have the resources for such a manual deployment planning process.