How license usage is calculated using Secured Certificate Instances¶
TLS Protect Cloud uses a licensing model based on an accurate and flexible metric: the Secured Certificate Instance (SCI). License usage is measured by counting how many certificates meet specific criteria that indicate they are actively managed within the platform.
NOTE: SCI calculation applies only to the current licensing model
This topic describes the calculation of license usage under the current licensing model. If your organization is still using the legacy licensing model, refer to the informational callouts in this help system to understand how usage may differ.
What counts as a SCI?¶
A certificate is counted as a SCI if it meets any of the following criteria:
- It is assigned to an application.
- It has been requested, renewed, or installed using TLS Protect Cloud. (These are referred to as qualifying lifecycle operations.)
- It is being monitored through inventory monitoring settings.
- It is installed at an active installation location.
What is an installation location?
An installation location is any unique instance where a certificate is installed, such as:
- A physical or virtual machine
- A file-based keystore
- A Kubernetes cluster or service within a cluster
A single certificate installed in multiple locations will count as multiple SCIs.
What does not count as a SCI?¶
The following certificates or behaviors do not contribute to the SCI count:
- Certificates that are retired
- Certificates that are old and no longer installed or monitored
- Certificates that are only detected at TLS server endpoints
- Certificates issued by Firefly. These certificates do not count as SCIs, even if they are discovered or visible in TLS Protect Cloud.
How monitoring affects license usage¶
By default, TLS Protect Cloud does not monitor certificates that are not assigned to applications. This helps reduce unnecessary consumption of SCIs.
If you choose to monitor certificates not assigned to applications, a warning message explains that using this setting can increase your license usage.
Examples¶
Here are some common scenarios to help you understand how SCI counts are determined:
| Scenario | SCI Count | Explanation |
|---|---|---|
| A certificate is requested through TLS Protect Cloud, but not installed | 1 | The request action is a qualifying lifecycle operation |
| A certificate is installed on one machine | 1 | One active installation |
| A certificate is installed on two machines | 2 | Two active installations |
| A certificate is found on 100 TLS server endpoints, but not installed anywhere | 0 | TLS server endpoints alone are not counted toward licensing. |
| An old certificate is still installed on one machine | 1 | Installation is active |
| A retired certificate is still installed | 0 | Retired certificates are excluded |
Kubernetes-specific examples¶
Some certificates are discovered and managed using the TLS Protect for Kubernetes add-on or other integrations. These rules apply when calculating SCIs in Kubernetes environments:
| Scenario | SCI Count |
|---|---|
| A certificate is discovered in a cluster but not issued by TLS Protect Cloud | 0 |
| A certificate is issued by TLS Protect Cloud via cert-manager | 1 |
| A monitored certificate is installed with 3 service attachments | 3 |
| A retired certificate is found in a cluster | 0 |
Notes about enforcement¶
- SCI usage is not enforced by the platform; it is evaluated contractually on a daily basis at a specific UTC time.
- You can exceed your entitlement temporarily, but consistent overages may trigger action during renewals or audits.