Leviathan Certificate Authority - Deployment Resource Reference
Leviathan Certificate Authority (CA) is Cogito Group’s high-performance, enterprise-grade PKI solution designed to provide organisations with complete control over their digital trust infrastructure. Built with scalability at its core, Leviathan adapts to environments of any size from self-contained deployments to complex, multi-region clustered architectures.
Figure 1 – Leviathan Installation
System Architecture
Deployment Models
Model | Host | Use case |
Standalone | Docker / Linux / Windows | Offline Root CA |
Integrated | Self-managed / Cloud | Online CA with RA & CLM |
Enterprise | Swarm / Kubernetes | Highly Available PKI |
Leviathan supports flexible deployment options to meet varying security and scalability needs. The Standalone model suits offline Root CAs for maximum isolation, while the Integrated model enables online issuance with full RA and CLM integration. For enterprise-scale environments, the Enterprise model provides high availability and resilience through orchestration.
Core Components
Component | Provider | Notes |
CA | Leviathan | The core application |
CLM | Jellyfish Services | Optional integration for full CLM |
Database | PostgreSQL, SQLite or MySQL | With HA support |
HSM | Entrust nCipher, Thales Luna, Utimaco CSe/Se, SoftHSM | PKCS11/Cryptoki support |
Leviathan’s architecture is built around modular, interoperable components. The CA forms the core application, while Jellyfish Services can be optionally integrated for full certificate lifecycle management. Database support includes PostgreSQL, MySQL, and SQLite, compatible with high-availability and clustered configurations. For secure key storage and signing, Leviathan integrates with HSMs such as Entrust nCipher, Thales Luna, Utimaco CSe/Se and SoftHSM via PKCS#11/Cryptoki standards.
Database Providers
Provider | Performance | Scalability | Setup Simplicity |
PostgreSQL | ★ ★ ★ ★ ★ | ★ ★ ★ ★ ☆ | ★ ★ ☆ ☆ ☆ |
MySQL / MariaDB | ★ ★ ★ ☆ ☆ | ★ ★ ★ ★ ★ | ★ ★ ★ ☆ ☆ |
SQLite | ★ ★ ☆ ☆ ☆ | ★ ☆ ☆ ☆ ☆ | ★ ★ ★ ★ ★ |
- PostgreSQL HA – Active/Standby with Read splitting support, recommended for most environments
- MySQL / Galera Cluster – Active/Active with Read/Write splitting support, for Leviathan only
- SQLite File – Active only, for Leviathan only, recommended only for offline CAs with small footprints
Leviathan supports multiple database providers, allowing deployments to balance performance, scalability, and simplicity. PostgreSQL offers the highest performance and reliability, ideal for environments. MySQL/MariaDB provides scalability through Galera clustering, supporting active/active configurations, yet lagging PostgreSQL in performance. SQLite, while limited to single-node operation, offers the simplest setup for lightweight or standalone deployments.
HSM Providers
Provider | Performance | Security | Setup Simplicity |
Entrust nCipher nFast | ★ ★ ★ ★ ★ | ★ ★ ★ ★ ★ | ★ ★ ★ ☆ ☆ |
Thales Luna HSM | ★ ★ ★ ★ ★ | ★ ★ ★ ★ ★ | ★ ★ ★ ☆ ☆ |
Utimaco CSe/Se | ★ ★ ★ ★ ★ | ★ ★ ★ ★ ★ | ★ ★ ★ ☆ ☆ |
SoftHSM | ★ ☆ ☆ ☆ ☆ | ★ ★ ☆ ☆ ☆ | ★ ★ ★ ★ ☆ |
SoftKeys | ★ ★ ☆ ☆ ☆ | ★ ☆ ☆ ☆ ☆ | ★ ★ ★ ★ ★ |
- Hardward key security - PKCS11/Cryptoki enables access to most HSM providers
- Software key security – SoftHSM, SoftKeys or PKCS12 support.
Leviathan integrates with HSM providers that supports PKCS#11/Cryptoki standards. We recommend Entrust nCipher, Thales Luna or Utimaco CSe for top-tier performance and hardware-grade key protection for enterprise deployments. For development or lower-security environments, SoftHSM and SoftKeys offer flexible, software-based alternatives for simplified setup.
System Resource Requirements
Leviathan Certificate Authority
Resource | Minimum | Recommended | Notes |
CPU | 2 cores | 6 cores | Per host |
Memory | 250 MB base | 1 GB base | Active certificates |
500 MB / 1 million certs | 1 GB / 1 million certs | ||
Disk (App) | ≤ 100MB base | Image / Executable | |
Network | 100Mbit | ≥ 1Gbit | Database and HSM connectivity |
Leviathan is lightweight and highly scalable, designed to operate efficiently from minimal to enterprise-grade environments. Its resource footprint adjusts dynamically with certificate volume, ensuring consistent performance across varied workloads. Strong network connectivity further enhances reliability and responsiveness during high-volume issuance and HSM operations.
Database Provider: PostgreSQL
Resource | Minimum | Recommended | Notes |
CPU | 2 cores | 8 cores | Per host |
Memory | 2 GB | 12 GB | Affects CRL speed |
Disk (App) | 512MB base | 10GB base |
|
Disk (Database) | ≤ 8 GB / 1 million certs | Active and inactive certificates | |
Network | 100Mbit | ≥ 1Gbit | Leviathan connectivity and replication |
PostgreSQL is the recommended database provider for Leviathan, offering exceptional stability, performance. Its architecture supports efficient handling of large certificate volumes and allows for rapid CRL production, making it ideal for most deployments. PostgreSQL has native high availability ensuring certificate replication to all standby nodes.
Database Provider: MySQL / MariaDB
Resource | Minimum | Recommended | Notes |
CPU | 2 cores | 8 cores | Per host |
Memory | 1 GB | 10 GB | Affects CRL speed |
Disk (App) | 512MB base | 10GB base |
|
Disk (Database) | ≤ 6 GB / 1 million certs | Active and inactive certificates | |
Network | 100Mbit | ≥ 1Gbit | Leviathan connectivity and replication |
The MySQL and MariaDB Galera database option for Leviathan is ideal for deployments spanning multiple regions with high network latency. Its active/active bi-directional write capability allows Leviathan to perform write operations against the nearest database node, improving responsiveness and reducing delay. Designed for asynchronous operation, Leviathan seamlessly handles delayed certificate replication without impacting ongoing issuance or revocation processes. It’s support is limited to the Leviathan platform. If you are looking for support of the wider Jellyfish platform, then PostgreSQL is still the best choice.
Database Provider: SQLite
Resource | Minimum | Recommended | Notes |
Disk (Database) | ≤ 4 GB / 1 million certs | Active and inactive certificates | |
SQLite is a lightweight, built-in database option within Leviathan, requiring no external software or configuration. It offers a simple and self-contained solution ideal for small-scale or standalone deployments, maintaining reliable performance for moderate certificate volumes with minimal setup overhead.
Performance Baseline and Scaling
Leviathan Certificate Authority
Metric | Result | Guidance | ||||||
Throughput | Up to 3,200 certificates/min | Add additional CA or HSM to scale beyond | ||||||
Reliability | 0 % failures up to 200 parallel requests | Rate-limit beyond 200 concurrent requests | ||||||
Latency |
| ≤ 200 concurrent requests for 5 s maximum SLA | ||||||
Cryptography | RSA-4096 & ECC-P-384 supported; ECC ≈ 7 % faster | Algorithm has minimal effect on throughput | ||||||
Authentication | Persistent Sessions ≈ API ≈ mTLS | Security model has no effect on performance |
(Derived from Leviathan CA Test Report v1.4 – May 2025)
Production Configurations
System Recommendation
Environment | App | Clients | vCPU | Memory | Storage | Throughput |
Pilot / Lab
| CA + DB | ≤ 50 req/s | 2 vCPU | 2 GB | 50 GB | ≤ 1,000 certs/min |
Enterprise | CA × 2 | ≤ 200 req/s | 6 vCPU | 8 GB | 100 GB | ≤ 3,200 certs/min |
DB × 2 | 8 vCPU | 12 GB | ||||
Clustered | CA × 4 | ≥ 200 req/s | 6 vCPU | 8 GB | 250 GB+ | > 3,200 certs/min |
DB × 4 | 8 vCPU | 12 GB |
Operational Recommendation
- Network: Low-latency connectivity between CA, HSM and DB not exceeding 250 ms.
- Time Sync: all nodes must use NTP with ≤ 100 ms drift.
- Security Controls: Mutual TLS, N-of-M Custodian access, and restricted OS accounts.
- Operating Systems: RHEL 8+/Ubuntu 22.04+/Windows Server 2022+.
- Compliance: FIPS 140-3 HSM modules with Post-Quantum algorithms.
Conclusion
Leviathan Certificate Authority delivers exceptional flexibility, allowing organisations to deploy and scale their PKI infrastructure to match their requirements. Whether running as a standalone authority, integrated with Jellyfish, or across multi-region clusters, Leviathan adapts seamlessly to on-premises, cloud, or hybrid environments. Its hosts a modular architecture with support for multiple HSM types while maintaining compatibility with classical and post-quantum algorithms. This flexibility empowers organisations to maintain full control over their trust architecture using a PKI solution that scales horizontally.