Quotas
Entrust PKIaaS enforces the following quotas and limits.
Region limits
PKIaaS currently supports setting up your PKI in the US or EU regions.
- You can set up your whole trust chain (root CA and issuing CA) in the same region.
- Entrust PKIaaS does not support cross-region trust chains; you cannot use a root CA from another region to sign an issuing CA.
Rate limits
PKIaaS has two tiers of quotas based on your certificate inventory.
| Quota | Purchased certificates |
|---|---|
| Standard quota | Less than 1 million |
| Premium quota | 1 million or more |
To protect against burst requests and prevent abuse, PKIaaS enforces a request rate limit based on 10-second intervals.
| Capability | Standard quota | Premium quota |
|---|---|---|
| Certificate creation | 100 requests/10 seconds | 1000 requests/10 seconds |
| OCSP | 100 requests/10 seconds | 1000 requests/10 seconds |
| CRL | 100 requests/10 seconds | 1000 requests/10 seconds |
| All others | 100 requests/10 seconds | 1000 requests/10 seconds |
If the number of requests exceeds the allowed rate limit:
- The API access is temporarily blocked
- All requests return a 429 HTTP status code with a “TooManyRequests” error message.
Certificate issuance capping
When the number of active certificates reaches the number of PKIaaS certificates purchased for your account, PKIaaS blocks your account from issuing additional certificates. To issue more PKIaaS certificates, you can either:
- Revoke some of the active certificates.
- Contact your sales representative to purchase more certificates.