Workload-optimized tiers

Certificate Authority Service offers two workload-optimized operation tiers for certificate authority (CA) pools.

  • DevOps: Focused on high volume, short-lived certificate issuance which is found in microservice-based applications.
  • Enterprise: Focused on lower volume, long-lived certificate issuance which is normally found in devices and user identity, where lifecycle management is important.

Both tiers can be used with any kind of application and both tiers support all user-specified certificate timelines. Microservice-based applications might benefit from the higher QPS quota for DevOps CA pools, which can support environments with higher rates of workload startup and allow certificates to be rotated more frequently. DevOps tier might also be more suited for shorter-lived certificates because it lacks certificate lifecycle management.

Some differences between the DevOps and the Enterprise tier are mentioned in the following table:

DevOps tier Enterprise tier
HSM support for CA key Yes Yes
Customer-managed CA key, supported through Cloud KMS No Yes
Support for listing, describing, and revoking certificates No Yes
QPS quota for CAs* 25 7

* QPS quota refers to the maximum number of certificates that can be issued per second by a given CA. A CA pool can reach a higher total effective QPS with multiple CAs. For more information about achieving a higher QPS using a CA pool, see Achieving a higher QPS using a CA pool.

Choosing a tier

When creating a new CA pool, you can specify the tier that best matches how you are using CA Service.


gcloud privateca pools create POOL_ID \
    --tier TIER

Replace the following:

  • POOL_ID: the unique identifier of the CA pool.
  • TIER: the tier for the CA pool. Replace this variable with enterprise or devops.

The --tier flag is optional. If this flag is omitted, the new CA pool defaults to the Enterprise tier.

For more information about the gcloud privateca pools create command, see gcloud privateca pools create.


  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Click Create CA.

  3. Under Select CA type, choose one of the options under Tier.

What's next