Certificate Authority Service offers two workload-optimized operation tiers for certificate authority (CA) pools.
- DevOps: Focused on high volume, short-lived certificate issuance which is found in microservice-based applications.
- Enterprise: Focused on lower volume, long-lived certificate issuance which is normally found in devices and user identity, where lifecycle management is important.
Both tiers can be used with any kind of application and both tiers support all user-specified certificate timelines. Microservice-based applications might benefit from the higher QPS quota for DevOps CA pools, which can support environments with higher rates of workload startup and allow certificates to be rotated more frequently. DevOps tier might also be more suited for shorter-lived certificates because it lacks certificate lifecycle management.
Some differences between the DevOps and the Enterprise tier are mentioned in the following table:
|DevOps tier||Enterprise tier|
|HSM support for CA key||Yes||Yes|
|Customer-managed CA key, supported through Cloud KMS||No||Yes|
|Support for listing, describing, and revoking certificates||No||Yes|
|QPS quota for CAs*||25||7|
* QPS quota refers to the maximum number of certificates that can be issued per second by a given CA. A CA pool can reach a higher total effective QPS with multiple CAs. For more information about achieving a higher QPS using a CA pool, see Achieving a higher QPS using a CA pool.
Choosing a tier
When creating a new CA pool, you can specify the tier that best matches how you are using CA Service.
gcloud privateca pools create POOL_ID \ --tier TIER
Replace the following:
- POOL_ID: the unique identifier of the CA pool.
- TIER: the tier for the CA pool. Replace this variable with
--tier flag is optional. If this flag is omitted, the new CA pool defaults to the
For more information about the
gcloud privateca pools create command, see gcloud privateca pools create.
In the Google Cloud Console, go to the Certificate Authority Service page.
Click Create CA.
Under Select CA type, choose one of the options under Tier.