Google Cloud Professional Cloud Security Engineer — Question 156

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

What should you do?

Answer options

• A. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (IaC).
• B. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
• C. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing.
• D. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises. Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Correct answer: B

Explanation

The correct answer is B because using a subordinate CA in the Google Certificate Authority Service allows the existing on-premises PKI to issue certificates without significant changes to its operation. Option A is incorrect as it involves Google managed certificates which may not align with the requirement of minimal impact on the existing PKI. Option C suggests importing certificates, but it does not provide a scalable solution for certificate issuance. Option D complicates the process with the use of PKCS12 and a different type of load balancer, which is unnecessary for the requirement.