Certificate Authority Service offers two workload-optimized operation tiers for Certificate Authorities (CAs).
- DevOps: Focused at high volume, short-lived certificate issuance, that is found in microservice-based applications.
- Enterprise: Focused at lower volume, long-lived certificate issuance that is normally found in devices and user identity, where tracking is important.
Both tiers can be used with any kind of application and both tiers support all user-specified certificate timelines. Microservice-based applications might benefit from the higher QPS quota for DevOps CAs, which can support environments with higher rates of workload startup and allow certificates to be rotated more frequently. DevOps tier might also be more suited for shorter-lived certificates because it lacks certificate lifecycle management.
Some of the differences between DevOps tier and Enterprise tier are mentioned in the table given below.
| DevOps tier | Enterprise tier | |
|---|---|---|
| HSM support for CA key | Yes | Yes |
| Customer-managed CA key, supported through Cloud KMS | No | Yes |
| Support for listing, describing, and revoking certificates | No | Yes |
| QPS quota* | 25 | 7 |
* QPS quota refers to the maximum number of certificates that can be issued per second by a given CA.
Choosing a tier
When creating a new CA, you can specify the tier that best matches how you are using CA Service.
gcloud
gcloud beta privateca roots create ca-id \
--subject "CN=Root CA 1, O=Joonix LLC" \
--tier devops
- The
--tierflag may be set toenterpriseordevops. - The
--tierflag is optional. If omitted, the new CA defaults to theenterprisetier. - The
--tierflag is identical for root or subordinate CA creation.
Full documentation for the --tier flag can be found under the Cloud SDK
reference for roots create
and
subordinates create.
Console
In the Google Cloud Console, go to the Certificate Authority Service page.
Click Create CA.
Under Select CA type, choose one of the options under Tier.