Workload-optimized tiers

Certificate Authority Service offers two workload-optimized operation tiers for Certificate Authorities (CAs).

  • DevOps: Targeted at high volume, short lived certificate issuance, that is usually found in microservice based applications.
  • Enterprise: Targeted at lower volume, long lived certificate issuance normally found in devices and user identity, where tracking is important.

Both tiers can be used with any kind of application and both tiers support all user-specified certificate timelines. Microservice based applications might benefit from the higher QPS quota for DevOps CAs, which can support environments with higher rates of workload startup and allow certificates to be rotated more frequently. DevOps tier might also be more suited for shorter-lived certificates since it lacks certificate lifecycle management.

Some of the differences between DevOps tier and Enterprise tier are mentioned in the table given below.

DevOps tier Enterprise tier
HSM support for CA key Yes Yes
Customer managed CA key, supported via Cloud KMS No Yes
Support for listing, describing, and revoking certificates No Yes
Maximum QPS* 25 7

* Maximum QPS refers to the maximum number of certificates that can be issued per second by a given CA.

Choosing a tier

When creating a new CA, you can specify the tier that best matches how you'll be using CA service.

gcloud

gcloud beta privateca roots create ca-id \
    --subject "CN=Root CA 1, O=Joonix LLC" \
    --tier devops
  • The --tier flag may be set to enterprise or devops.
  • The --tier flag is optional. If omitted, the new CA defaults to the enterprise tier.
  • The --tier flag is identical for root or subordinate CA creation.

Full documentation for the --tier flag can be found under the Cloud SDK reference for roots create and subordinates create.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Click the Create CA button

  3. Under Select CA type:

  4. Choose one of the options under Tier.

See also