Quotas and limits

This document lists the quotas and system limits that apply to Certificate Manager. Quotas specify the amount of a countable, shared resource that you can use, and they are defined by Google Cloud services such as Certificate Manager. System limits are fixed values that cannot be changed.

Google Cloud uses quotas to help ensure fairness and reduce spikes in resource use and availability. A quota restricts how much of a Google Cloud resource your Google Cloud project can use. Quotas apply to a range of resource types, including hardware, software, and network components. For example, quotas can restrict the number of API calls to a service, the number of load balancers used concurrently by your project, or the number of projects that you can create. Quotas protect the community of Google Cloud users by preventing the overloading of services. Quotas also help you to manage your own Google Cloud resources.

The Cloud Quotas system does the following:

  • Monitors your consumption of Google Cloud products and services
  • Restricts your consumption of those resources
  • Provides a way to request changes to the quota value

In most cases, when you attempt to consume more of a resource than its quota allows, the system blocks access to the resource, and the task that you're trying to perform fails.

Quotas generally apply at the Google Cloud project level. Your use of a resource in one project doesn't affect your available quota in another project. Within a Google Cloud project, quotas are shared across all applications and IP addresses.

There are also system limits on Certificate Manager resources. System limits can't be changed.

Your use of Certificate Manager is governed by the following types of quotas:

  • Rate quotas determine how quickly you can call the Certificate Manager API as well as create and access Certificate Manager resources.

  • Resource quotas determine the total amount of Certificate Manager resources you can create within your Google Cloud project.

For more information about working with quotas, including steps for increasing them, and for setting up monitoring and alerting on quota metrics, see Working with quotas.

Rate quotas

The following table lists the rate quotas for Certificate Manager.

Item Default quota Description
API requests 300 per minute All calls to the Certificate Manager API
Read requests 300 per minute GET and LIST calls to the Certificate Manager API
Write requests 300 per minute CREATE, PATCH, and DELETE calls to the Certificate Manager API

Resource quotas and limits

The following table lists the resource quotas and limits for Certificate Manager.

Item Default quotas and limits Description
Google-managed certificates 1000 Total number of Google-managed certificates within the Google Cloud project
Regional Google-managed certificates 30 Total number of regional Google-managed certificates per region within the Google Cloud project
Self-managed certificates 1000 Total number of self-managed certificates within the Google Cloud project
Regional self-managed certificates 30 Total number of regional self-managed certificates per region within the Google Cloud project
Certificate maps 100 Total number of certificate maps within the Google Cloud project
Certificate map entries 5000 Total number of certificate map entries within the Google Cloud project.
You can associate a certificate with a maximum of 100 certificate map entries.
Certificates per certificate map entry Limit: 4 Total number of certificates that you can attach to a certificate map entry
DNS authorizations 1000 Total number of DNS authorizations within the Google Cloud project
Regional DNS authorizations 300 Total number of regional DNS authorizations per region within the Google Cloud project
Certificate issuance configs 100 Total number of certificate issuance configs within the Google Cloud project
Regional certificate issuance configs 5 Total number of regional certificate issuance configs per region within the Google Cloud project
Trust configs 5 Total number of trust configs within the Google Cloud project

Domain name length limitations for Google-managed certificates

The following table lists domain name length limitations specific to Google-managed certificates in Certificate Manager.

Item Characters Domain
Load balancer authorization with Google CA 253 All
DNS authorization with Google CA 237 All
Per-project DNS authorization with Google CA 220 All
Load balancer authorization with Let's Encrypt 253 All domains except first domain
DNS authorization with Let's Encrypt 237 All domains except first domain
Load balancer authorization and DNS authorization with Let's Encrypt 64 First Domain

Additional resource limits for Google-managed certificates

The following table lists additional resource limits specific to Google-managed certificates in Certificate Manager. These limits cannot be increased.

Item Limit Description
Domains per certificate with load balancer authorization 5 Maximum number of domains allowed per Google-managed certificate with load balancer authorization.
Domains per certificate with DNS authorization 100 Maximum number of domains allowed per Google-managed certificate with DNS authorization.

Additional request quotas for Public CA operations

Quotas for Public CA operations are independent from quotas governing Certificate Manager operations on Google-managed certificates. They are also independent from any other quotas governing operations on Google-managed certificates performed by any other Google Cloud products.

Certificate Manager enforces the quota limits listed in this section for Public CA operations. Keep the following guidelines in mind:

  • Certificate Manager can rate-limit your per-minute requests.
  • Certificate Manager can return HTTP 429 response code asking an ACME client to retry a request after waiting a few seconds. Your ACME clients must support this response code and respect the Retry-After header that Certificate Manager sends with the response.

The production and the staging environment have the same limits, but they are independent of each other. Requests to the production environment and the staging environment only consume their respective quotas.

Public CA request quotas

The following table lists the Public CA request quotas that apply to ACME certificate management operations.

Item Default quota Description
Create an ACME account
(newAccount)
25 per minute, 100 per hour Maximum number of account creation requests
Create an authorization
(newAuthz)
300 per hour Maximum number of authorization creation requests
Poll an authorization
(authz)
600 per minute Maximum number of authorization polling requests
Verify or poll a challenge
(challenge)
100 per minute Maximum number of challenge verification or polling requests
Request a certificate
(newOrder)
100 per hour Maximum number of new certificate requests
Poll certificate issuance
(cert)
50 per minute Maximum number of certificate issuance polling requests
Revoke certificate
(revokeCert)
25 per 30s Maximum number of certificate revocation requests

Trust config

The limits documented here cannot be increased and apply to classic Application Load Balancers and global external Application Load Balancers.

Item Quotas and limits Notes
Number of trust stores Limit: 1 This limit is per TrustConfig resource.
Combined number of trust anchors and intermediate certificates Limit: 200 This limit is per trust store.
Number of intermediate certificates Limit: 100 This limit is per trust store.
Number of name constraints allowed during validation of root and intermediate certificates Limit: 10
Intermediate certificates that share the same Subject and Subject Public Key information Limit: 10 This limit is per trust store.
Certificate chain depth Limit: 10 The maximum depth for a certificate chain, including the root and client certificates.
Number of times intermediate certificates can be evaluated when attempting to build the chain of trust Limit: 100
Keys of certificates uploaded or passed from the client

Limit: RSA keys can be from 2048 to 4096 bits

ECDSA certificates must use either P-256 or P-384 curves