Quotas and limits
This page lists the quotas and limits that apply to Certificate Authority Service.
Resource limits
CA Service enforces the following usage limits:
| Resource | Unit | Value |
|---|---|---|
| Pending CAs1 | per Location per Project | 100 |
| CAs | per Location per Project | 1000 |
| Unexpired revoked certificates2 | per CA or certificate revocation list (CRL) | 500,000 |
1A pending certificate authority (CA) is a subordinate CA that has been
created but not yet activated, and is thus in the AWAITING_USER_ACTIVATION state.
2A CRL can contain at most 500,000 unexpired revoked certificates. If you attempt to revoke more than this limit, the revocation request fails. If you need to revoke more than 500,000 certificates, we recommend that you wait until the existing revoked certificates have expired or revoke the issuing CA certificate.
Request quotas
The following request quotas apply to CA Service requests:
| Request | Unit | Maximum requests |
|---|---|---|
| CreateCertificate | per Certificate Authority (Enterprise tier) | 7 per second* |
| CreateCertificate | per Certificate Authority (DevOps tier) | 25 per second* |
| CreateCertificate | per Location per Project | 100 per second* |
| ListCertificates | per Location per Project | 10 per second* |
| CreateCertificateAuthority | per Location per Project | 5 per minute* |
| All other mutation requests | per Location per Project | 40 per second* |
| All requests | per Location per Project | 400 per second* |
* Even if you have available quota, other factors can result in reduced throughput.
Quota increases
You can use the Google Cloud console to request a quota increase. You can request a quota increase for certificate issuance, titled "CreateCertificate requests per project per minute per region".
For more information, see Requesting higher quota.