Google CloudCertificate Authority ServiceSecurity

google_privateca_certificate_authority cost estimation

A managed private certificate authority. Priced as a flat monthly CA fee by tier, plus a per-certificate issuance charge.

A google_privateca_certificate_authority runs a managed private CA on Google Cloud's Certificate Authority Service (CAS) for issuing internal TLS certificates (mTLS, service identity, IoT) without operating your own PKI. The cost is a flat monthly fee for the CA plus a per-certificate charge.

The CA fee depends on the tier. The DevOps tier is about $20/month per CA and is optimized for high-volume, short-lived certificates (service meshes, workload identity), it has a low CA fee but is meant for certs you issue and discard rapidly. The Enterprise tier is about $200/month per CA and supports long-lived certificates with full lifecycle management (revocation, templates). On top of the CA fee, certificates bill per certificate issued, with the rate differing by tier.

c3x reads the tier and prices the monthly CA fee; certificate issuance is a usage-based dimension supplied in c3x-usage.yml. The tier choice is the main decision: DevOps for cheap high-volume short-lived certs, Enterprise for managed long-lived ones. Like all CAs, the fee accrues until the CA is deleted, so decommission unused CAs.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "google_privateca_certificate_authority" "internal" {
  location              = "us-central1"
  pool                  = google_privateca_ca_pool.pool.name
  certificate_authority_id = "internal-root"

  config {
    subject_config {
      subject {
        common_name  = "internal.example.com"
        organization = "Example"
      }
    }
    x509_config {
      ca_options { is_ca = true }
      key_usage {
        base_key_usage { cert_sign = true; crl_sign = true }
        extended_key_usage { server_auth = true }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
}

Pricing dimensions

What you actually pay for when you provision google_privateca_certificate_authority.

DimensionUnitWhat's being charged
CA feeper monthFlat monthly fee per CA by tier. c3x reads the pool tier and prices the CA.
$20/month DevOps, $200/month Enterprise
Certificates issuedper certificatePer-certificate issuance charge, varying by tier (DevOps cheaper per cert at volume). Usage-based; define in c3x-usage.yml.

Sample C3X output

Example output from c3x estimate (DevOps-tier CA, CA fee only):

google_privateca_certificate_authority.internal
└─ CA fee (DevOps tier)        1  month    $20.00

OVERALL TOTAL                             $20.00
(certificate issuance usage-based)

Optimization tips

Common ways to reduce google_privateca_certificate_authority cost without changing the workload.

Use the DevOps tier for short-lived, high-volume certs

~$180/month per CA

For service-mesh mTLS and workload identity, where certs are short-lived and issued constantly, the DevOps tier's $20/month CA fee is far cheaper than Enterprise's $200, with low per-cert cost at volume.

Reserve Enterprise tier for managed long-lived certs

Tier-fit dependent

Enterprise's $200/month buys revocation, templates, and long-lived certificate lifecycle. Use it only where you need those; don't pay Enterprise rates for ephemeral mesh certs.

Delete CAs you've stopped using

Full CA fee

The monthly fee accrues until the CA is deleted (not just disabled). Decommission CAs from retired projects to stop the charge.

FAQ

How does c3x estimate CAS cost?

It reads the CA tier and prices the flat monthly CA fee (~$20 DevOps, ~$200 Enterprise). Certificate issuance is a usage-based, tier-dependent dimension supplied in c3x-usage.yml.

What's the difference between DevOps and Enterprise tiers?

DevOps (~$20/month) is for high-volume, short-lived certificates (mesh, workload identity) with cheap per-cert pricing but limited lifecycle features. Enterprise (~$200/month) supports long-lived certs with revocation, templates, and full management.

Are certificates charged on top of the CA fee?

Yes. Each issued certificate bills a per-cert charge that varies by tier. At high volume on the DevOps tier the per-cert cost is low; Enterprise certs cost more each but the tier targets fewer, longer-lived certs.

How does this compare to AWS Private CA?

Both are managed private CAs with a monthly CA fee plus per-cert charges. AWS general-purpose is ~$400/month vs GCP Enterprise ~$200; AWS short-lived ~$50 vs GCP DevOps ~$20. GCP's tiers are cheaper at the entry points.

Does disabling a CA stop billing?

No. The monthly fee accrues until the CA is deleted. Disabling stops issuance but not the charge, so delete CAs you no longer need.

Related resources

Google Cloud
google_kms_crypto_key

Key management underpinning certificate signing

Google Cloud
google_secret_manager_secret

Stores private keys and credentials alongside the PKI

Google Cloud
google_compute_ssl_certificate

Public-facing TLS certificates for load balancers

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including google_privateca_certificate_authority.

Get StartedStar on GitHub
← Browse all Google Cloud resources