High-volume certificate issuance scenarios such as Network Access Protection (NAP) deployments with Internet Protocol security (IPsec) enforcement create unique public key infrastructure (PKI) needs. To address these needs, the following options introduced in Windows Server 2008 R2 can be used to configure certificate templates for use by high-volume certification authorities (CAs). These options are available on the Server tab of a certificate template's property sheet.
Do not store certificates and requests in the CA database
Certificates issued in high-volume scenarios typically expire within hours of being issued, and the issuing CA processes a high volume of certificate requests. By default, a record of each request and issued certificate is stored in the CA database. A high volume of requests increases the CA database growth rate and administration cost.
The Do not store certificates and requests in the CA database option configures the template so that the CA processes certificate requests without adding records to the CA database.
The issuing CA must be configured to support certificate requests that have this option enabled. On the issuing CA, run the following command: CertUtil.exe –SetReg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS.
Do not include revocation information in issued certificates
Revocation of certificates by some high-volume CAs is not beneficial because the certificates typically expire within hours of being issued.
The Do not include revocation information in issued certificates option configures the template so that the CA excludes revocation information from issued certificates. This prevents checking revocation status during certificate validation and reduces validation time.
This option is recommended whenever the Do not store certificates and requests in the CA database option is used.