GCP Professional Cloud Security Engineer Practice Question

As part of a zero-trust program, you must enable mutual TLS for many microservices that run on Compute Engine and multiple GKE clusters in several service projects. Internal traffic must use short-lived X.509 certificates automatically issued and rotated every 24 hours based on each workload's IAM service account identity. Operations teams need a single console to revoke any certificate immediately, and the solution must not rely on a publicly trusted root. Which architecture best meets these requirements while keeping operational overhead low?

Provision a private root CA with Certificate Authority Service, create subordinate CAs in a CA pool, and allow GKE and Compute Engine workloads to request and auto-renew 24-hour certificates through the Workload Certificate API (or Mesh CA) for mTLS.
Attach Google-managed SSL certificates to each Internal HTTP(S) Load Balancer and rely on the load balancers to terminate and re-encrypt traffic between services.
Generate a single wildcard certificate signed by an external public CA, store it in Secret Manager, and distribute it to every workload at startup through a custom script.
Purchase publicly trusted TLS certificates from Google Public CA and install them on every microservice to establish trust across projects.

Report Issue

Answer Description

Cloud Certificate Authority Service can operate an organization's private PKI entirely inside Google Cloud. By creating a private root CA and one or more subordinate CAs in a CA pool, you keep the trust anchor internal. When CAS integrates with Workload Certificate API or Mesh CA, GKE pods and Compute Engine VMs authenticate with their service account identities to automatically obtain short-lived (about 24-hour) X.509 certificates that renew without manual scripting. CAS maintains a certificate inventory, lets administrators revoke individual certificates from the console, and stores CA keys in Cloud HSM, so no on-premises HSMs or custom tooling are required.

Google-managed SSL certificates on an internal or external load balancer provide only server-side TLS termination and cannot issue per-workload client certificates for mTLS. Distributing a single wildcard certificate through Secret Manager lacks automatic rotation and granular revocation. Publicly trusted certificates from Google Public CA rely on an external trust anchor and are unsuitable for purely internal service-to-service encryption.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.