This document lists the quotas and limits that apply to Certificate Manager.
A quota restricts how much of a shared Google Cloud resource your Google Cloud project can use, including hardware, software, and network components. Therefore, quotas are a part of a system that does the following:
- Monitors your use or consumption of Google Cloud products and services.
- Restricts your consumption of those resources, for reasons that include ensuring fairness and reducing spikes in usage.
- Maintains configurations that automatically enforce prescribed restrictions.
- Provides a means to request or make changes to the quota.
In most cases, when a quota is exceeded, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Google Cloud project and are shared across all applications and IP addresses that use that Google Cloud project.
There are also limits on Certificate Manager resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.
Your use of Certificate Manager is governed by the following types of quotas:
Rate quotas determine how quickly you can call the Certificate Manager API as well as create and access Certificate Manager resources.
Resource quotas determine the total amount of Certificate Manager resources you can create within your Google Cloud project.
For more information about working with quotas, including steps for increasing them, and for setting up monitoring and alerting on quota metrics, see Working with quotas.
Rate quotas
The following table lists the rate quotas for Certificate Manager.
| Quota | Default limit | Description |
|---|---|---|
| API requests | 300 per minute | All calls to the Certificate Manager API |
| Read requests | 300 per minute | GET and LIST calls to the Certificate Manager API |
| Write requests | 300 per minute | CREATE, PATCH, and DELETE calls to the Certificate Manager API |
Resource quotas
The following table lists the resource quotas for Certificate Manager.
| Quota | Default limit | Description |
|---|---|---|
| Google-managed certificates | 100 | Total number of Google-managed certificates within the Google Cloud project |
| Regional Google-managed certificates | 30 | Total number of regional Google-managed certificates per region within the Google Cloud project |
| Self-managed certificates | 100 | Total number of self-managed certificates within the Google Cloud project |
| Regional self-managed certificates | 5 | Total number of regional self-managed certificates per region within the Google Cloud project |
| Certificate maps | 100 | Total number of certificate maps within the Google Cloud project |
| Certificate map entries | 1000 | Total number of certificate map entries within the Google Cloud project |
| DNS authorizations | 1000 | Total number of DNS authorizations within the Google Cloud project |
| Regional DNS authorizations | 300 | Total number of regional DNS authorizations per region within the Google Cloud project |
| Certificate issuance configs | 100 | Total number of certificate issuance configs within the Google Cloud project |
| Regional certificate issuance configs | 5 | Total number of regional certificate issuance configs per region within the Google Cloud project |
| Trust configs | 5 | Total number of trust configs within the Google Cloud project |
Domain name length limitations for Google-managed certificates
The following table lists domain name length limitations specific to Google-managed certificates in Certificate Manager.
| Quota | Characters | Domain |
|---|---|---|
| Load balancer authorization with Google CA | 253 | All |
| DNS authorization with Google CA | 237 | All |
| Per-project DNS authorization with Google CA | 220 | All |
| Load balancer authorization with Let's Encrypt | 253 | All domains except first domain |
| DNS authorization with Let's Encrypt | 237 | All domains except first domain |
| Load balancer authorization and DNS authorization with Let's Encrypt | 64 | First Domain |
Additional resource quotas for Google-managed certificates
The following table lists additional resource quotas specific to Google-managed certificates in Certificate Manager. These quotas cannot be increased.
| Quota | Default limit | Description |
|---|---|---|
| Domains per certificate with load balancer authorization | 5 | Maximum number of domains allowed per Google-managed certificate with load balancer authorization. |
| Domains per certificate with DNS authorization | 100 | Maximum number of domains allowed per Google-managed certificate with DNS authorization. |
Additional request quotas for Public CA operations
Quotas for Public CA operations are independent from quotas governing Certificate Manager operations on Google-managed certificates. They are also independent from any other quotas governing operations on Google-managed certificates performed by any other Google Cloud products.
Certificate Manager enforces the quota limits listed in this section for Public CA operations. Keep the following guidelines in mind:
- Certificate Manager can rate-limit your per-minute requests.
- Certificate Manager can return HTTP 429 response code asking an
ACME client to retry a request after waiting a few seconds. Your ACME clients must
support this response code and respect the
Retry-Afterheader that Certificate Manager sends with the response.
The production and the staging environment have the same limits, but they are independent of each other. Requests to the production environment and the staging environment only consume their respective quotas.
Public CA request quotas
The following table lists the Public CA request quotas that apply to ACME certificate management operations.
| Quota | Default limit | Description |
|---|---|---|
| Create an ACME account ( newAccount) |
25 per minute, 100 per hour | Maximum number of account creation requests |
| Create an authorization ( newAuthz) |
150 per 5 minutes, 300 per hour | Maximum number of authorization creation requests |
| Poll an authorization ( authz) |
600 per minute, no per-hour limit | Maximum number of authorization polling requests |
| Verify or poll a challenge ( challenge) |
100 per minute, no per-hour limit | Maximum number of challenge verification or polling requests |
| Request a certificate ( newOrder) |
25 per minute, 100 per hour | Maximum number of new certificate requests |
| Poll certificate issuance ( cert) |
50 per minute, no per-hour limit | Maximum number of certificate issuance polling requests |
| Revoke certificate ( revokeCert) |
25 per minute, no per-hour limit | Maximum number of certificate revocation requests |