Workload-optimized tiers

Certificate Authority Service offers two workload-optimized operation tiers for Certificate Authorities (CAs).

  • DevOps: Focused at high volume, short-lived certificate issuance, that is found in microservice-based applications.
  • Enterprise: Focused at lower volume, long-lived certificate issuance that is normally found in devices and user identity, where tracking is important.

Both tiers can be used with any kind of application and both tiers support all user-specified certificate timelines. Microservice-based applications might benefit from the higher QPS quota for DevOps CAs, which can support environments with higher rates of workload startup and allow certificates to be rotated more frequently. DevOps tier might also be more suited for shorter-lived certificates because it lacks certificate lifecycle management.

Some of the differences between DevOps tier and Enterprise tier are mentioned in the table given below.

DevOps tier Enterprise tier
HSM support for CA key Yes Yes
Customer-managed CA key, supported through Cloud KMS No Yes
Support for listing, describing, and revoking certificates No Yes
QPS quota* 25 7

* QPS quota refers to the maximum number of certificates that can be issued per second by a given CA.

Choosing a tier

When creating a new CA, you can specify the tier that best matches how you are using CA Service.

gcloud

gcloud beta privateca roots create ca-id \
    --subject "CN=Root CA 1, O=Joonix LLC" \
    --tier devops
  • The --tier flag may be set to enterprise or devops.
  • The --tier flag is optional. If omitted, the new CA defaults to the enterprise tier.
  • The --tier flag is identical for root or subordinate CA creation.

Full documentation for the --tier flag can be found under the Cloud SDK reference for roots create and subordinates create.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Click Create CA.

  3. Under Select CA type, choose one of the options under Tier.

What's next