Entrust PKIaaS enforces the following quotas and limits.
Region limits
PKIaaS currently supports setting up your PKI in the US or EU regions.
- You can set up your whole trust chain (root CA and issuing CA) in the same region.
- PKIaaS does not support cross-region trust chains; you cannot sign an issuing CA using a root CA from another region.
Rate limits
PKIaaS has two tiers of quotas based on your PKIaaS certificate inventory.
Quota | Purchased certificates |
---|---|
Standard quota | Less than 1 million |
Premium quota | 1 million or more |
To protect against burst requests and prevent abuse, PKIaaS enforces a request rate limit based on 10-second intervals.
Capability | Standard quota | Premium quota |
---|---|---|
Certificate creation | 100 requests/10 seconds | 1000 requests/10 seconds |
OCSP | 100 requests/10 seconds | 1000 requests/10 seconds |
CRL | 100 requests/10 seconds | 1000 requests/10 seconds |
All others | 100 requests/10 seconds | 1000 requests/10 seconds |
If the number of requests exceeds the allowed rate limit:
- The API access is temporarily blocked
- All requests return a 429 HTTP status code with a "TooManyRequests" error message.
Certificate issuance capping
When the number of active certificates reaches the number of PKIaaS certificates purchased by your Entrust Certificate Service Enterprise account, PKIaaS blocks your account from issuing any additional certificates. To issue more PKIaaS certificates, you can either:
- Revoke some of the active certificates.
- Contact your sales representative to purchase more certificates.