Achieving a higher QPS using a CA pool

This document illustrates how you can achieve a higher effective QPS using a certificate authority (CA) pool. For information about CA pools, see CA pools.

Before you begin

Set up a CA pool in your required location. To create a CA pool, follow the instructions in the quickstart guide. For the complete list of locations, see Locations.

We recommend that you create the CA pool in the DevOps tier. The maximum achievable effective QPS for a CA pool is 100 QPS. The maximum QPS for each individual CA within the pool is 25 QPS (in the DevOps tier) or 7 QPS (in the Enterprise tier). If you create the CA pool in the DevOps tier, you have to create 4 CAs within the CA pool to reach a total effective QPS of 100 QPS. For more information about quotas, see Quotas and limits.

Procedure

  1. Create enough CAs within your CA pool to achieve the required QPS. The required number of CAs is 4 for CA pools in the DevOps tiers, and 15 for CA pools in the Enterprise tier. The following set of instructions is for a CA pool in the DevOps tier:

    1. To create a root CA with the name root-1 in your CA pool, use the following gcloud command.

       gcloud privateca roots create root-1 --pool POOL_NAME --subject="CN=root-1,O=google"
      

      The total effective QPS of the CA pool at this stage is 25 QPS. To increase the total effective QPS of the CA pool to 100 QPS, you must create 3 more CAs in your CA pool.

    2. To create a root CA with the name root-2, use the following gcloud command.

        gcloud privateca roots create root-2 --pool POOL_NAME --subject="CN=root-2,O=google"
      
    3. To create a root CA with the name root-3, use the following gcloud command.

        gcloud privateca roots create root-3 --pool POOL_NAME --subject="CN=root-3,O=google"
      
    4. To create a root CA with the name root-4, use the following gcloud command.

        gcloud privateca roots create root-4 --pool POOL_NAME --subject="CN=root-4,O=google"
      

      At this stage, the total effective QPS of your CA pool is 100 QPS.

  2. While CAs are in the STAGED state, create and test certificates. Once that is done, enable the CAs. For information on enabling CAs, see Enabling a CA. For information on testing CAs, see Test a CA.

  3. Verify the health of your CA pool by getting audit reports on load-balancing across CAs. Ideally, there should be uniformity in the number of certificates issued by each CA.

    You can use Cloud Monitoring to monitor your CA pool's load-balancing metrics, such as the number of certificates issued per CA in a given time period. For more information on using Cloud Monitoring, see Using Cloud Monitoring with CA Service.

What's next