Quotas and limits

This page lists the quotas and limits that apply to Certificate Authority Service.

Resource limits

CA Service enforces the following usage limits:

Resource Unit Value
Pending CAs1 per Location per Project 100
CAs per Location per Project 1000
Unexpired revoked certificates2 per CA or certificate revocation list (CRL) 500,000

1A pending certificate authority (CA) is a subordinate CA that has been created but not yet activated, and is thus in the AWAITING_USER_ACTIVATION state.

2A CRL can contain at most 500,000 unexpired revoked certificates. If you attempt to revoke more than this limit, the revocation request fails. If you need to revoke more than 500,000 certificates, we recommend that you wait until the existing revoked certificates have expired or revoke the issuing CA certificate.

Request quotas

The following request quotas apply to CA Service requests:

Request Unit Maximum requests
CreateCertificate per Certificate Authority (Enterprise tier) 7 per second*
CreateCertificate per Certificate Authority (DevOps tier) 25 per second*
CreateCertificate per Location per Project 100 per second*
ListCertificates per Location per Project 10 per second*
CreateCertificateAuthority per Location per Project 5 per minute*
All other mutation requests per Location per Project 40 per second*
All requests per Location per Project 400 per second*

* Even if you have available quota, other factors can result in reduced throughput.

Quota increases

You can use the Google Cloud console to request a quota increase. You can request a quota increase for certificate issuance, titled "CreateCertificate requests per project per minute per region".

For more information, see Requesting higher quota.