Generate Assigned Keys
The generate assigned keys timed service will pre-generate a number of keys based on the provided criteria. The main purpose of the service is taking care of having the keys prepared for signing operation in advance and not having to wait for the key generation process to complete during the signing operation, which can be time consuming. The signature application can take one of available pre-generated keys and use it for issuing the certificate and signing operation.
The implementation class of this service is:
com.czertainly.signserver.module.timedservices.keygeneration.GenerateAssignedKeys
The following properties are available for this service:
| Property | Description | Default Value | Mandatory |
|---|---|---|---|
| CRYPTOTOKEN | The name of the crypto token where we want to generate the keys. | NONE | YES |
| TARGET_NUMBER_OF_PRE_GENERATED_KEYS | The number of keys to should be available for the crypto token. The service will generate keys until this number is reached. | 10 | NO |
| MAXIMAL_NUMBER_OF_KEYS_TO_GENERATE_PER_RUN | The maximal number of keys to generate in one execution of the service. The service will generate keys until the target number of keys is reached. | 100 | NO |
| FILTER_PROPERTY_NAME | The name of the property to filter on. The value of the property must match the FILTER_VALUE. | Key specification | NO |
| FILTER_VALUE | The value of the property to filter on. The value of the property must match the FILTER_PROPERTY_NAME. | assigned=true, certified=false, enabled=false | NO |
| KEYALIAS_PREFIX | The prefix to use for the key aliases of the generated keys. | pregenerated | NO |
| KEYGEN_ALGORITHM | The algorithm to use for key generation. | NONE | YES |
| KEYGEN_SPECIFICATION | The key specification to use for key generation. | NONE | YES |
| REQUIRES_TRANSACTION | If the key generation requires a database transaction. If set to true, the service will run in a transaction. | false | NO |
Limitations
The service will generate keys until the target number of keys is reached. If the target number of keys is not reached, the service will generate the maximal number of keys per run. The service will not generate more keys than the target number of keys.
Depending on the underlying technology of the CryptoToken, you might experience performance issues if you generate a large number of keys in one go. If you experience performance issues, you might want to lower the value of the MAXIMAL_NUMBER_OF_KEYS_TO_GENERATE_PER_RUN property and execute the service more often. It is recommended to test the performance of the service in your environment before using it in production.
The default transaction timeout for the service is 300 seconds (5 minutes). If the service needs to use the database and takes longer than that to execute, the transaction will be rolled back and the keys will not be generated. If you experience this issue, you might want to tweak the configuration of the service to generate fewer keys more often or build a separate instance that will be responsible only for generating keys in the shared database cluster.