Entrust PKIaaS enforces the following quotas and limits.

Region limits

PKIaaS currently supports setting up your PKI in the US or EU regions. 

  • You can set up your whole trust chain (root CA and issuing CA) in the same region. 
  • PKIaaS does not support cross-region trust chains; you cannot sign an issuing CA using a root CA from another region.

Rate limits

PKIaaS has two tiers of quotas based on your PKIaaS certificate inventory.

Quota

Purchased certificates

​Standard quota

Less than 1 million​

Premium quota

1 million or more

To protect against burst requests and prevent abuse, PKIaaS enforces a request rate limit based on 10-second intervals.

Capability

Standard quota

Premium quota

Certificate creation

100 requests/10 seconds

1000 requests/10 seconds

OCSP

100 requests/10 seconds

1000 requests/10 seconds

CRL

100 requests/10 seconds

1000 requests/10 seconds

All others

100 requests/10 seconds

1000 requests/10 seconds

If the number of requests exceeds the allowed rate limit:

  • The API access is temporarily blocked
  • All requests return a 429 HTTP status code with a "TooManyRequests" error message. 

Certificate issuance capping

When the number of active certificates reaches the number of PKIaaS certificates purchased by your Entrust Certificate Service Enterprise account, PKIaaS blocks your account from issuing any additional certificates. To issue more PKIaaS certificates, you can either:

  • Revoke some of the active certificates.
  • Contact your sales representative to purchase more certificates.