We have finally completed a GLOBAL certificate look-up table for real-time notifications in our re-designed KeyChest service. KeyChest has been using an external service to check for new certificates. This has become unsustainable due to the number of users and certificates we monitor.
Note: Fast-forward from September 2018 to July 2020 - the size of the table is now over 11,200,000,000 entries.
We have seen big fluctuations in the performance of KeyChest.net since last Autumn. It was not hard to find that this was caused by downtimes and throughput limitations of a third-party cloud service we use to look-up certificate updates.
In January, it became clear that we are not able to implement any reliable real-time notifications without our own certificate look-up tables. We have done several test runs to create such tables to learn about the CPU, disk IOs and network bandwidth needed to run such tables with our bootstrapping budget.
In July, we finally created a light-weight design, which is efficient enough to be sustainable while giving us all the information we need in almost real-time. At the moment, we update the table within 30 seconds of the primary CT Log database with our goal being 10 seconds.
The size of the lookup table has passed 5,560,000,000 entries and is constantly growing. And the speed of the growth is absolutely astonishing. The chart below shows its growth over a 30-day period.
We are still to start properly analyzing the data, but there seems to be over 1,000,000 – 2,000,000 internet certificates expiring every day. It’s an astonishing number.
An easy to use, a kind of “set up and forget” service is what many of us need to stay on top of all the certificates, which are expiring every day and can take any of our web services off-line without us noticing quickly enough.