Stay organized with collections
Save and categorize content based on your preferences.
Increase certificate creation throughput using CA pools
This page describes how you can increase the certificate creation rate using a
certificate authority (CA) pool. For information about CA pools, see Overview
of CA pools.
Overview
The certificate creation throughput is measured in queries per second (QPS). In
a service mesh, the certificate creation throughput can be approximated using
the following formula:
ACTIVE_WORKLOADS: the total number of workloads that are running at any
given time
ROTATION_FREQUENCY: the frequency at which the certificates are rotated
per second
NEW_WORKLOADS_PER_SECOND: the rate at which new workloads are created
You can find the values for ACTIVE_WORKLOADS and NEW_WORKLOADS_PER_SECOND,
in the Google Kubernetes Engine
dashboards in the
Google Cloud console. To determine the ROTATION_FREQUENCY for a service mesh, you
must refer to the service mesh product's documentation. The ROTATION_FREQUENCY
for Cloud Service Mesh defaults to once every 12 hours, which is 1/(12×60×60) or
1/43200 when converted into rotation frequency per second.
Example
Consider the example of a relatively stable cluster with long-lived workloads
and few ephemeral workloads.
Variable name
Value
Description
ACTIVE_WORKLOADS
10000
10,000 workloads are expected to be running at any given time.
NEW_WORKLOADS_PER_SECOND
1
1 new workload is created every second.
ROTATION_FREQUENCY
1/43200
The certificates rotate every 12 hours.
Substituting these values in the formula for calculating certificate-creation
rate gives a QPS value of 1.23.
Throughput = (10,000 / 43,200) + 1 = 1.23 QPS
A different cluster with more ephemeral workloads and shorter-lived workloads
might have a higher value for NEW_WORKLOADS_PER_SECOND. A high value of
ROTATION_FREQUENCY makes the value of the fraction (ACTIVE_WORKLOADS /
ROTATION_FREQUENCY) quite small, making NEW_WORKLOADS_PER_SECOND the most
important variable in the formula.
If you're expecting to issue certificates at a consistently high throughput, we
recommend that you create the CA pool in the DevOps tier, which allows for
improved performance and incurs lower costs. There is a maximum throughput for
each individual CA within a CA Pool, and there is a maximum achievable effective
throughput for any given project. For example, if the maximum throughput for the
DevOps tier is 25 QPS for a CA and 100 QPS for a project, then you must create 4
CAs within the CA pool to reach a total effective throughput of up to 100 QPS.
For specific QPS numbers and more information about quotas, see Quotas and
limits.
Procedure
Create enough CAs within your CA pool to achieve the required QPS. The
required number of CAs is 4 for CA pools in the DevOps tiers, and 15 for CA
pools in the Enterprise tier. The following set of instructions is for a CA
pool in the DevOps tier:
To create a root CA with the name root-1 in your CA pool, use the
following gcloud command.
The total effective QPS of the CA pool at this stage is 25 QPS. To
increase the total effective QPS of the CA pool to 100 QPS, you must
create 3 more CAs in your CA pool.
To create a root CA with the name root-2, use the following gcloud
command.
At this stage, the total effective QPS of your CA pool is 100 QPS.
While CAs are in the STAGED state, create and test certificates. Once that
is done, enable the CAs. For information on enabling CAs, see Enable a
CA. For information on testing CAs, see Test a
CA.
Verify the health of your CA pool by getting audit reports on load-balancing
across CAs. Ideally, there should be uniformity in the number of
certificates issued by each CA.
You can use Cloud Monitoring to monitor your CA pool's load-balancing
metrics, such as the number of certificates issued per CA in a given time
period. For more information, see Monitor resources using
Cloud Monitoring.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eCA pools can increase certificate creation throughput, measured in queries per second (QPS).\u003c/p\u003e\n"],["\u003cp\u003eCertificate creation throughput in a service mesh depends on active workloads, rotation frequency, and new workloads per second, following the provided formula.\u003c/p\u003e\n"],["\u003cp\u003eThe DevOps tier for CA pools allows for improved performance and lower costs, with a maximum throughput per CA and per project, requiring multiple CAs to achieve higher total QPS.\u003c/p\u003e\n"],["\u003cp\u003eTo achieve the desired QPS, it's necessary to create a specific number of CAs within the CA pool (e.g., four CAs in the DevOps tier for 100 QPS).\u003c/p\u003e\n"],["\u003cp\u003eAfter creating CAs, it's important to test them while in a staged state and verify the health of the CA pool through load-balancing metrics and audit reports to ensure uniform certificate issuance.\u003c/p\u003e\n"]]],[],null,["# Increase certificate creation throughput using CA pools\n=======================================================\n\nThis page describes how you can increase the certificate creation rate using a\ncertificate authority (CA) pool. For information about CA pools, see [Overview\nof CA pools](/certificate-authority-service/docs/ca-pool).\n\nOverview\n--------\n\nThe certificate creation throughput is measured in queries per second (QPS). In\na service mesh, the certificate creation throughput can be approximated using\nthe following formula:\n\n*THROUGHPUT* = (*ACTIVE_WORKLOADS* × *ROTATION_FREQUENCY* ) +\n*NEW_WORKLOADS_PER_SECOND*\n\nReplace the following:\n\n- *ACTIVE_WORKLOADS*: the total number of workloads that are running at any given time\n- *ROTATION_FREQUENCY*: the frequency at which the certificates are rotated per second\n- *NEW_WORKLOADS_PER_SECOND*: the rate at which new workloads are created\n\nYou can find the values for *ACTIVE_WORKLOADS* and *NEW_WORKLOADS_PER_SECOND* ,\nin the [Google Kubernetes Engine\ndashboards](/kubernetes-engine/docs/concepts/dashboards) in the\nGoogle Cloud console. To determine the *ROTATION_FREQUENCY* for a service mesh, you\nmust refer to the service mesh product's documentation. The *ROTATION_FREQUENCY*\nfor Cloud Service Mesh defaults to once every 12 hours, which is 1/(12×60×60) or\n1/43200 when converted into rotation frequency per second.\n\nExample\n-------\n\nConsider the example of a relatively stable cluster with long-lived workloads\nand few ephemeral workloads.\n\nSubstituting these values in the formula for calculating certificate-creation\nrate gives a QPS value of 1.23.\n\nThroughput = (10,000 / 43,200) + 1 = 1.23 QPS\n\nA different cluster with more ephemeral workloads and shorter-lived workloads\nmight have a higher value for *NEW_WORKLOADS_PER_SECOND* . A high value of\n*ROTATION_FREQUENCY* makes the value of the fraction *(ACTIVE_WORKLOADS /\nROTATION_FREQUENCY)* quite small, making *NEW_WORKLOADS_PER_SECOND* the most\nimportant variable in the formula.\n\nBefore you begin\n----------------\n\n[Set up a CA pool](/certificate-authority-service/docs/creating-ca-pool) in your\nrequired location. For the complete list of locations, see\n[Locations](/certificate-authority-service/docs/locations).\n\nIf you're expecting to issue certificates at a consistently high throughput, we\nrecommend that you create the CA pool in the DevOps tier, which allows for\nimproved performance and incurs lower costs. There is a maximum throughput for\neach individual CA within a CA Pool, and there is a maximum achievable effective\nthroughput for any given project. For example, if the maximum throughput for the\nDevOps tier is 25 QPS for a CA and 100 QPS for a project, then you must create 4\nCAs within the CA pool to reach a total effective throughput of up to 100 QPS.\nFor specific QPS numbers and more information about quotas, see [Quotas and\nlimits](../quotas).\n| **Note:** Support for listing, describing, and revoking certificates is not available for CA pools in the DevOps tier. For more information about tiers, see [Select the operation tiers](/certificate-authority-service/docs/tiers).\n\nProcedure\n---------\n\n1. Create enough CAs within your CA pool to achieve the required QPS. The\n required number of CAs is 4 for CA pools in the DevOps tiers, and 15 for CA\n pools in the Enterprise tier. The following set of instructions is for a CA\n pool in the DevOps tier:\n\n 1. To create a root CA with the name `root-1` in your CA pool, use the\n following `gcloud` command.\n\n gcloud privateca roots create root-1 \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --pool \u003cvar translate=\"no\"\u003ePOOL_NAME\u003c/var\u003e \\\n --subject=\"CN=root-1,O=google\"\n\n The total effective QPS of the CA pool at this stage is 25 QPS. To\n increase the total effective QPS of the CA pool to 100 QPS, you must\n create 3 more CAs in your CA pool.\n 2. To create a root CA with the name `root-2`, use the following `gcloud`\n command.\n\n gcloud privateca roots create root-2 \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --pool \u003cvar translate=\"no\"\u003ePOOL_NAME\u003c/var\u003e \\\n --subject=\"CN=root-2,O=google\"\n\n 3. To create a root CA with the name `root-3`, use the following `gcloud`\n command.\n\n gcloud privateca roots create root-3 \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --pool \u003cvar translate=\"no\"\u003ePOOL_NAME\u003c/var\u003e \\\n --subject=\"CN=root-3,O=google\"\n\n 4. To create a root CA with the name `root-4`, use the following `gcloud`\n command.\n\n gcloud privateca roots create root-4 \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --pool \u003cvar translate=\"no\"\u003ePOOL_NAME\u003c/var\u003e \\\n --subject=\"CN=root-4,O=google\"\n\n At this stage, the total effective QPS of your CA pool is 100 QPS.\n2. While CAs are in the `STAGED` state, create and test certificates. Once that\n is done, enable the CAs. For information on enabling CAs, see [Enable a\n CA](/certificate-authority-service/docs/managing-ca-state#enable). For information on testing CAs, see [Test a\n CA](/certificate-authority-service/docs/creating-certificate-authorities#test).\n\n3. Verify the health of your CA pool by getting audit reports on load-balancing\n across CAs. Ideally, there should be uniformity in the number of\n certificates issued by each CA.\n\n You can use Cloud Monitoring to monitor your CA pool's load-balancing\n metrics, such as the number of certificates issued per CA in a given time\n period. For more information, see [Monitor resources using\n Cloud Monitoring](/certificate-authority-service/docs/monitoring).\n\nWhat's next\n-----------\n\n- Learn more about [quotas and limits](../quotas).\n- Watch a YouTube video on [increasing throughput for CAs with CA\n pools](https://www.youtube.com/watch?v=bBtBIUJJzmY&list=PLIivdWyY5sqI05hOAi0YgZt_eg7G9tpcN&index=9)."]]
