Certificate Authority Service offers two workload-optimized operation tiers for Certificate Authorities (CAs).
- DevOps: Targeted at high volume, short lived certificate issuance, that is usually found in microservice based applications.
- Enterprise: Targeted at lower volume, long lived certificate issuance normally found in devices and user identity, where tracking is important.
Both tiers can be used with any kind of application and both tiers support all user-specified certificate timelines. Microservice based applications might benefit from the higher QPS quota for DevOps CAs, which can support environments with higher rates of workload startup and allow certificates to be rotated more frequently. DevOps tier might also be more suited for shorter-lived certificates since it lacks certificate lifecycle management.
Some of the differences between DevOps tier and Enterprise tier are mentioned in the table given below.
| DevOps tier | Enterprise tier | |
|---|---|---|
| HSM support for CA key | Yes | Yes |
| Customer managed CA key, supported via Cloud KMS | No | Yes |
| Support for listing, describing, and revoking certificates | No | Yes |
| Maximum QPS* | 25 | 7 |
* Maximum QPS refers to the maximum number of certificates that can be issued per second by a given CA.
Choosing a tier
When creating a new CA, you can specify the tier that best matches how you'll be using CA service.
gcloud
gcloud beta privateca roots create ca-id \
--subject "CN=Root CA 1, O=Joonix LLC" \
--tier devops
- The
--tierflag may be set toenterpriseordevops. - The
--tierflag is optional. If omitted, the new CA defaults to theenterprisetier. - The
--tierflag is identical for root or subordinate CA creation.
Full documentation for the --tier flag can be found under the Cloud SDK
reference for roots create
and
subordinates create.
Console
In the Google Cloud Console, go to the Certificate Authority Service page.
Click the Create CA button
Under Select CA type:
Choose one of the options under Tier.