The machines running the PKI Hub must meet the following requirements.

Memory requirements

Each node needs at least 16 GB of RAM 

CPU requirements

Each node needs at least 8 CPU cores

Main disk requirements

You need a main disk with the following requirements.

Setting

Required value

Size

1 TiB or more

Storage type

SSD (Solid-state Drive) 

Additional disk requirements

The etcd daemon requires a dedicated disk with the following requirements.

Setting

Required value

Size

15 GiB or more

Storage type

SSD (Solid-state Drive) 

​fsync latency

As explained https://etcd.io/docs/v3.4/metrics/#disk, the p99 percentile of the wal_fsync_duration_seconds duration should be less than 10ms to confirm the disk is reasonably fast for production workloads.​

IOPS (input/output operations per second)

50 or more sequential write operations per second.

Specifically, to ensure optimal fsync latency, we recommend either: 

  • Allocate dedicated IOPS 
  • Use storage QoS 

Do not:

  • Overcommit storage on the hypervisor.
  • Use storage features that introduce unpredictable delays, such as deduplication or tiered storage.
  • Use virtual machine snapshots or disk-level backups, as these mechanisms rely on copy-on-write techniques, which can lead to additional latency and result in an inconsistent state. 

    Use the built-in PKI Hub backup feature instead of disk-level snapshots.

  • Run real-time antivirus or file scans on data directory, as these processes may lock files or slow down I/O operations, causing latency spikes.
  • Move a PKI Hub node to a different host (for example, using vMotion or live migration), as this can introduce I/O latency or disrupt clock consistency. If you need to move PKI Hub nodes, migrate one node at a time and wait for it to be fully available on the new host before migrating the next one.
  • If you are using VMWare, ensure that all of your PKI Hub deployments have VM-to-Host affinity enabled. This allows you to avoid Admin Key Recovery due to host migration. We recommend that you select 'Should run on hosts in group' for the rule specification. The group should contain only the one ESXi host that you are using for this PKI Hub VM.