The PKI Hub does not require a database. However, some Entrust solutions have the requirements described in the table below.
Solution databases can be hosted on the same DBMS. However, do not merge tables from different solutions into a single database, as each solution requires a dedicated database.
Database Management System
The external databases of Entrust solutions support the following Database Management Systems (DBMSs).
Solution | Oracle | PostgreSQL | Microsoft SQL Server |
|---|---|---|---|
Certificate Authority |
| 15+ |
|
Certificate Manager |
| 15+ |
|
Validation Authority | 21.3.0 | 15+ | 2019 CU15 2022 CU13 |
Certificate Enrollment Gateway |
| 15+ | 2019+ 2022+ |
Database storage
Calculate the required database storage based on the expected data.
Solution | Number of managed certificates | Size |
|---|---|---|
Certificate Authority | 100,000 | ~1,500 MB |
Certificate Enrollment Gateway | 100,000 | TBD |
Certificate Manager | 100,000 | ~350 MB |
Validation Authority | 100,000 | ~75 MB |
Storage data are approximate, as the size of each certificate depends on factors such as the certificate algorithm and extensions.
Database platform
Check the DBMS documentation for the DBMS requirements on each platform. In the case of PostgreSQL, we recommend downloading the official Docker image:
https://hub.docker.com/_/postgres
If you are not using this Docker image, make sure to install the pg_trgm extension by running this command.
sudo dnf install postgresql15-contribDatabase user permissions
The database user must have permissions on the public schema.
For example, to create a Certificate Manager database user with sufficient permissions, connect to PSQL using the default PostgreSQL user and execute the following commands.
CREATE USER ${POSTGRES_USER} WITH NOSUPERUSER CREATEDB ENCRYPTED PASSWORD '${POSTGRES_PWD}';\c postgres ${POSTGRES_USER}CREATE DATABASE cm;\c cm ${POSTGRES_USER}CREATE EXTENSION IF NOT EXISTS pg_trgm;Where:
${POSTGRES_USER}is the database user name selected when Configuring and deploying Certificate Manager.${POSTGRES_PWD}is the database user password selected when Configuring and deploying Certificate Manager.
Database allowed connections
Restrict database incoming connections to those originating from the PKI Hub host.
To restrict incoming connections on a PostgreSQL database
Edit the following PostgreSQL configuration file.
pg_hba.confAdd the following line.
hostssl cm ${POSTGRES_USER} <host> scram-sha-256Where
<host>is the IP address of the PKI Hub host.
Database supported number of connections
The number of connections the database must support depends on several factors.
- The deployed solutions.
- The number of installation nodes in the PKI Hub cluster.
- The number of clusters using the same database.
See below for the required connections.
Solution | Required connections |
|---|---|
Certificate Authority | To be determined |
Certificate Enrollment Gateway | 10 connections per cluster node |
Certificate Manager | 500 connections per cluster |
Validation Authority | To be determined |
For example, in a 3-node cluster, a database hosting both Certificate Enrollment Gateway and Certificate Manager must support at least the following number of connections.
Solution | Required connections |
|---|---|
Certificate Enrollment Gateway | 10 x 3 nodes =30 |
Certificate Manager | 500 x 1 cluster = 500 |
Total | 530 |
Database TLS certificate
RFC2818 deprecates the use of the Common Name (CN) field in the Subject for hostname verification. TLS clients use the Subject Alternative Name (SAN) extension instead.
TLS certificate validation will fail if the hostname or IP address is not present in the Subject Alternative Name (SAN), even if it appears in the Common Name.
Database names
In the Certificate Manager database, names should not use uppercase letters to avoid case sensitivity problems. Unquoted identifiers in SQL syntax are converted to lowercase, which can lead to problems when mapping to a name with uppercase letters.