Stay organized with collections
Save and categorize content based on your preferences.
Quotas and limits
This page lists the quotas and limits that apply to Certificate Authority Service.
Resource limits
CA Service enforces the following usage limits:
| Resource |
Unit |
Value |
| Pending CAs1 |
per Location per Project |
100 |
| CAs |
per Location per Project |
1000 |
| Unexpired revoked certificates2 |
per CA or certificate revocation list (CRL) |
500 for CAs with external signing keys.
500,000 for CAs with HSM or software signing keys. |
1A pending certificate authority (CA) is a subordinate CA that has been
created but not yet activated, and is thus in the AWAITING_USER_ACTIVATION state.
2A CRL can contain at most 500,000 unexpired revoked certificates.
If you attempt to revoke more than this limit, the revocation request fails.
If you need to revoke more than 500,000 certificates, we recommend that you wait
until the existing revoked certificates have expired or revoke the issuing CA certificate.
Rate quotas
The following rate quotas apply to CA Service requests:
| Request |
Unit |
Maximum requests |
| CreateCertificate |
per Certificate Authority (Enterprise tier) |
7 per second* |
| CreateCertificate |
per Certificate Authority (DevOps tier) |
25 per second* |
| CreateCertificate |
per Location per Project |
100 per second* |
| ListCertificates |
per Location per Project |
10 per second* |
| CreateCertificateAuthority |
per Location per Project |
5 per minute* |
| All other mutation requests |
per Location per Project |
40 per second* |
| All requests |
per Location per Project |
400 per second* |
* Even if you have available quota, other factors can result in reduced throughput.
Quota increases
You can use the Google Cloud console to request a quota increase. You can request a quota
increase for certificate issuance, titled "CreateCertificate requests per
project per minute per region".
For more information, see
Requesting a quota adjustment.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eCA Service limits the number of pending CAs to 100 and the total number of CAs to 1000 per location per project.\u003c/p\u003e\n"],["\u003cp\u003eThe maximum number of unexpired revoked certificates per CA or certificate revocation list (CRL) is 500 for CAs with external signing keys, and 500,000 for CAs with HSM or software signing keys.\u003c/p\u003e\n"],["\u003cp\u003eThe rate limit for \u003ccode\u003eCreateCertificate\u003c/code\u003e requests is 7 per second for Enterprise tier, 25 per second for DevOps tier, and 100 per second per location per project.\u003c/p\u003e\n"],["\u003cp\u003eThe rate limit for \u003ccode\u003eCreateCertificateAuthority\u003c/code\u003e is 5 per minute, and for all other mutations it is 40 per second per location per project.\u003c/p\u003e\n"],["\u003cp\u003eThe overall rate limit is 400 requests per second per location per project, though other factors may reduce throughput, and quotas for certificate creation can be increased through the Google Cloud console.\u003c/p\u003e\n"]]],[],null,[]]
