Workload-optimized tiers
Certificate Authority Service offers two workload-optimized operation tiers for certificate authority (CA) pools.
- DevOps: Focused on high volume, short-lived certificate issuance which is found in microservice-based applications.
- Enterprise: Focused on lower volume, long-lived certificate issuance which is normally found in devices and user identity, where lifecycle management is important.
Both tiers can be used with any kind of application and both tiers support all user-specified certificate timelines. Microservice-based applications might benefit from the higher QPS quota for DevOps CA pools, which can support environments with higher rates of workload startup and allow certificates to be rotated more frequently. DevOps tier might also be more suited for shorter-lived certificates because it lacks certificate lifecycle management.
For information on how to get a rough estimate of certificate-creation QPS, see Understanding certificate creation throughput.
Some differences between the DevOps and the Enterprise tier are mentioned in the following table:
| DevOps tier | Enterprise tier | |
|---|---|---|
| HSM support for CA key | Yes | Yes |
| Customer-managed CA key, supported through Cloud KMS | No | Yes |
| Support for listing, describing, and revoking certificates | No | Yes |
| QPS quota for CAs* | 25 | 7 |
* QPS quota refers to the maximum number of certificates that can be issued per second by a given CA. A CA pool can reach a higher total effective QPS with multiple CAs. For more information, see Achieving a higher QPS using a CA pool.
What's next
- Learn about CA pools.
- Learn how to create CA pools.
- Learn about quotas and limits.