Select the operation tiers

Certificate Authority Service offers two workload-optimized operation tiers for certificate authority (CA) pools.

  • DevOps: Focused on high volume, short-lived certificate issuance which is found in microservice-based applications.
  • Enterprise: Focused on lower volume, long-lived certificate issuance which is normally found in devices and user identity, where lifecycle management is important.

Both tiers can be used with any kind of application and both tiers support all user-specified certificate timelines. Microservice-based applications might benefit from the higher certificate creation throughput for DevOps CA pools, which can support environments with higher rates of workload startup and allow certificates to be rotated more frequently. DevOps tier might also be more suited for shorter-lived certificates because it lacks certificate lifecycle management.

For information on how to get a rough estimate of the certificate creation throughput, see Increase certificate creation throughput using CA pools.

Some differences between the DevOps and the Enterprise tier are mentioned in the following table:

DevOps tier Enterprise tier
HSM support for CA key Yes Yes
Customer-managed CA key, supported through Cloud KMS No Yes
Support for listing, describing, and revoking certificates No Yes
QPS quota for CAs* 25 7

* QPS quota refers to the maximum number of certificates that can be issued per second by a given CA. A CA pool can reach a higher total effective QPS with multiple CAs.

What's next