GCP Professional Cloud Security Engineer Practice Question
Your security team is rolling out mutual TLS between microservices that run on multiple GKE clusters in three regions. They expect to issue about 50 000 short-lived certificates every day and want to avoid hard-coding which subordinate CA signs each request. Production and staging certificates must be isolated while using the same automated process, and the GKE workload identity that requests the certificates must not be able to change CA configuration. Which architecture satisfies these requirements with the least operational overhead?
Deploy an unmanaged OpenSSL CA on a Compute Engine instance per environment, store the private keys in Cloud HSM, and allow the workload identity to SSH into the instance to run certmonger.
Add a self-signed root certificate to each cluster's trust store, generate certificates locally with kubectl cert-manager, and periodically upload the resulting CRLs to Certificate Authority Service.
Create one shared DevOps-tier CA pool that contains a single subordinate CA, reference that CA name in every CSR, and grant the workload identity the privateca.admin role on the pool.
Create two Enterprise-tier CA pools (prod and stage), each with several subordinate CAs. Attach an environment-specific certificate template to each pool and grant only the privateca.certificateRequester role on the pool to the GKE workload identity.
A CA pool lets Certificate Authority Service choose any enabled subordinate CA in the pool when the requester does not specify a particular CA. Creating one Enterprise-tier pool for production and another for staging keeps the environments isolated while allowing the service to scale to roughly 25 certificates per second per subordinate CA. Granting the service account the privateca.certificateRequester role on each pool is sufficient for issuing certificates but does not permit altering the CAs or pool configuration. Using a certificate template removes the need to embed X.509 details in every API call and ensures both environments follow their respective policies. Manually selecting a single CA, using DevOps-tier CAs, or granting broader IAM roles would either create a bottleneck or violate least-privilege.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is mutual TLS?
Open an interactive chat with Bash
What is a CA pool in Google's Certificate Authority Service?
Open an interactive chat with Bash
What is the privateca.certificateRequester role used for?
Open an interactive chat with Bash
What is a Certificate Authority (CA) pool in GCP?
Open an interactive chat with Bash
What is the privateca.certificateRequester role in GCP?
Open an interactive chat with Bash
How do certificate templates enhance security and automation in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .