Stay organized with collections
Save and categorize content based on your preferences.
Select the operation tiers
Certificate Authority Service offers two workload-optimized operation tiers for certificate
authority (CA) pools.
DevOps: Focused on high volume, short-lived certificate issuance which is
found in microservice-based applications.
Enterprise: Focused on lower volume, long-lived certificate issuance
which is normally found in devices and user identity, where lifecycle
management is important.
Both tiers can be used with any kind of application and both tiers support all
user-specified certificate timelines. Microservice-based applications might
benefit from the higher certificate creation throughput for DevOps CA pools, which can support
environments with higher rates of workload startup and allow certificates to be
rotated more frequently. DevOps tier might also be more suited for shorter-lived
certificates because it lacks certificate lifecycle management.
Some differences between the DevOps and the Enterprise tier are mentioned in the following table:
DevOps tier
Enterprise tier
HSM support for CA key
Yes
Yes
Customer-managed CA key, supported through Cloud KMS
No
Yes
Support for listing, describing, and revoking certificates
No
Yes
QPS quota for CAs*
25
7
* QPS quota refers to the maximum number of certificates that can be
issued per second by a given CA. A CA pool can reach a higher total effective QPS with multiple CAs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eCertificate Authority Service provides two operation tiers for CA pools: DevOps and Enterprise.\u003c/p\u003e\n"],["\u003cp\u003eThe DevOps tier is designed for high-volume, short-lived certificates, ideal for microservice applications, while the Enterprise tier supports lower-volume, long-lived certificates, suitable for devices and user identities.\u003c/p\u003e\n"],["\u003cp\u003eThe chosen operation tier for a CA pool is permanent and cannot be altered after creation.\u003c/p\u003e\n"],["\u003cp\u003eThe DevOps tier offers a higher QPS (Queries Per Second) quota for CAs (25) compared to the Enterprise tier (7), enabling faster certificate issuance.\u003c/p\u003e\n"],["\u003cp\u003eThe Enterprise tier supports certificate lifecycle management features, such as listing, describing, and revoking certificates, which are not available in the DevOps tier.\u003c/p\u003e\n"]]],[],null,["# Select the operation tiers\n==========================\n\nCertificate Authority Service offers two workload-optimized operation tiers for certificate\nauthority (CA) pools.\n\n- **DevOps**: Focused on high volume, short-lived certificate issuance which is found in microservice-based applications.\n- **Enterprise**: Focused on lower volume, long-lived certificate issuance which is normally found in devices and user identity, where lifecycle management is important.\n\n| **Note:** The operation tier is set when the CA pool is created and cannot be changed afterwards.\n\nBoth tiers can be used with any kind of application and both tiers support all\nuser-specified certificate timelines. Microservice-based applications might\nbenefit from the higher certificate creation throughput for DevOps CA pools, which can support\nenvironments with higher rates of workload startup and allow certificates to be\nrotated more frequently. DevOps tier might also be more suited for shorter-lived\ncertificates because it lacks certificate lifecycle management.\n\nFor information on how to get a rough estimate of the certificate creation throughput, see\n[Increase certificate creation throughput using CA pools](/certificate-authority-service/docs/higher-qps).\n\nSome differences between the DevOps and the Enterprise tier are mentioned in the following table:\n\n\\* QPS quota refers to the maximum number of certificates that can be\nissued per second by a given CA. A CA pool can reach a higher total effective QPS with multiple CAs.\n\nWhat's next\n-----------\n\n- Learn about [CA pools](/certificate-authority-service/docs/ca-pool).\n- Learn how to [create CA pools](/certificate-authority-service/docs/creating-ca-pool).\n- Learn how to [increase certificate creation throughput using CA pools](/certificate-authority-service/docs/higher-qps).\n- Learn about [quotas and limits](/certificate-authority-service/quotas)."]]
