You create a private CA in Google Cloud Certificate Authority Service (CAS) and issue a certificate. What happens if the CA is disabled after issuing the certificate?
Think about what disabling a CA means for new and existing certificates.
Disabling a CA stops new certificate issuance but does not affect already issued certificates, which remain valid until they expire or are revoked.
You want to design a secure certificate authority hierarchy using Google CAS. Which architecture provides the best security and operational flexibility?
Consider the role of root and subordinate CAs in security and management.
Using an offline root CA with online subordinate CAs limits exposure of the root key and allows flexible certificate issuance and revocation.
You have issued certificates using Google CAS. Which method does CAS support to notify clients that a certificate is revoked?
Think about standard protocols for certificate revocation notification.
Google CAS publishes CRLs that clients can download and check to verify if a certificate is revoked. OCSP is not currently supported.
You want to create a private CA in Google CAS that uses the ECDSA P-384 key algorithm. Which configuration snippet correctly specifies this?
private_ca_config = {
"key_spec": {
"algorithm": "EC_P384"
},
"tier": "ENTERPRISE"
}Look for the exact algorithm name for ECDSA P-384 in Google CAS.
The correct algorithm name for ECDSA P-384 is "EC_P384". Other options specify different algorithms.
What is the best practice to protect the root CA private key in Google Certificate Authority Service?
Think about minimizing exposure of the most sensitive key.
Keeping the root CA private key offline reduces risk of compromise. It should only be used to sign subordinate CAs, which handle certificate issuance.