Overview of CA pools

A certificate authority (CA) pool is a collection of multiple CAs with a common certificate issuance policy and Identity and Access Management (IAM) policy. CA pools provide the ability to rotate trust chains without any outage or downtime for their payloads.

A CA pool is empty when you create it. For information about adding a CA to a CA pool, see Create a root CA.

The CA pool maintains a list of trusted CA certificates. You must install these trusted CA certificates with the certificate requester.

Properties of CAs in a CA pool

The following table lists the features that must be same, can be different, and must be different for all CAs in a CA pool.

Must be same for all CAs in a CA pool Can be different for all CAs in a CA pool Must be different for all CAs in a CA pool
  • Certificate issuance policies
  • IAM conditions
  • Tier
  • Location
  • Publishing options. For example, whether to publish a CRL.
  • Algorithms and sizes of signing keys
  • CA subjects and SANs
  • Expiration date and validity period
  • Labels
  • Customer-managed Cloud Storage bucket used for CRL and AIA.
  • Customer-managed CA keys
  • CA certificate extensions
  • CA name

Achieve higher QPS

Certificate Authority Service enforces limits on the number of requests you can send. For example, the usage limit for the createCertificate request for a DevOps CA is 25 QPS.

To increase your total effective QPS, you must have multiple CAs in a CA pool. A CA pool increases the total effective QPS by distributing the incoming certificate requests across all CAs in the ENABLED state. However, you can still request certificates from a particular CA in the CA pool.

You can use the following formula to calculate the maximum allowed QPS for a CA pool:

Total effective QPS = min(100, number of CAs in the CA pool x QPS per CA)

For example, if the effective QPS for a CA is 25 QPS and if you create 4 CAs in a CA pool, then the total effective QPS of the CA pool is 100 QPS.

For more information about achieving a higher total effective QPS, see Increase certificate creation throughput using a CA pool.

Manage CA rotation

A CA pool can have CAs that are in different states. A CA pool load-balances certificate issuance for workloads across the enabled CAs in a CA pool.

The CA pool abstracts the specific CAs within it that issue certificates. When a CA expires, the total effective QPS of the CA pool gets reduced. For example, if a CA pool has 4 enabled CAs, the total effective QPS for that CA pool is 100 QPS. But if one CA in the CA pool expires, the total effective QPS gets reduced to 75 QPS. To ensure that the total effective QPS of the CA pool remains unaffected when a CA expires, you must create a new CA before the existing CA expires.

For more information, see Rotate CAs in a CA pool.

For information about requesting an increase in quota, see Requesting a higher quota limit.

What's next