7.7. Enabling a Publishing Queue

Part of the enrollment process includes publishing the issued certificate to any directories or files. This, essentially, closes out the initial certificate request. However, publishing a certificate to an external network can significantly slow down the issuance process — which leaves the request open.
To avoid this situation, administrators can enable a publishing queue. The publishing queue separates the publishing operation (which may involve an external LDAP directory) from the request and enrollment operations, which uses a separate request queue. The request queue is updated immediately to show that the enrollment process is complete, while the publishing queue sends the information at the pace of the network traffic.
The publishing queue sets a defined, limited number of threads that publish generated certificates, rather than opening a new thread for each approved certificate.
The publishing queue is disabled by default. It can be enabled in the CA Console, along with enabling publishing.

Note

While the publishing queue is disabled by default, the queue is automatically enabled if LDAP publishing is enabled in the Console. Otherwise, the queue can be enabled manually.
Enabling the Publishing Queue

Figure 7.1. Enabling the Publishing Queue

Note

Enabling the publishing queue by editing the CS.cfg file allows administrators to set other options for publishing, like the number of threads to use for publishing operations and the queue page size.
  1. Stop the CA server, so that you can edit the configuration files.
    ]# systemctl stop pki-tomcatd@instance-name.service
  2. Open the CA's CS.cfg file.
    vim /var/lib/pki/instance-name/ca/conf/CS.cfg
  3. Set the ca.publish.queue.enable to true. If the parameter is not present, then add a line with the parameter.
    ca.publish.queue.enable=true
  4. Set other related publishing queue parameters:
    • ca.publish.queue.maxNumberOfThreads sets the maximum number of threads that can be opened for publishing operations. The default is 3.
    • ca.publish.queue.priorityLevel sets the priority for publishing operations. The priority value ranges from -2 (lowest priority) to 2 (highest priority). Zero (0) is normal priority and is also the default.
    • ca.publish.queue.pageSize sets the maximum number of requests that can be stored in the publishing queue page. The default is 40.
    • ca.publish.queue.saveStatus sets the interval to save its status every specified number of publishing operations. This allows the publishing queue to be recovered if the CA is restarted or crashes. The default is 200, but any non-zero number will recover the queue when the CA restarts. Setting this parameter to 0 disables queue recovery.
    ca.publish.queue.maxNumberOfThreads=1
    ca.publish.queue.priorityLevel=0
    ca.publish.queue.pageSize=100
    ca.publish.queue.saveStatus=200

    Note

    Setting ca.publish.queue.enable to false and ca.publish.queue.maxNumberOfThreads to 0 disables both the publishing queue and using separate threads for publishing issued certificates.
  5. Restart the CA server.
    ]# systemctl restart pki-tomcatd@instance-name.service