Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location
Mob_nav_barsMENU

HashiCorp Exam HCVA0-003 Topic 4 Question 4 Discussion

Actual exam question for HashiCorp's HCVA0-003 exam
Question #: 4
Topic #: 4
[All HCVA0-003 Questions]

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

Show Suggested Answer Hide Answer
Suggested Answer: A

The PKI secrets engine is designed to support the use case of reducing and ultimately removing the use of long lived X.509 certificates. The PKI secrets engine can generate dynamic X.509 certificates on demand, with short time-to-live (TTL) and automatic revocation. This eliminates the need for manual processes of generating, signing, and rotating certificates, and reduces the risk of certificate compromise or misuse. The PKI secrets engine can also act as a certificate authority (CA) or an intermediate CA, and can integrate with external CAs or CRLs. The PKI secrets engine can issue certificates for various purposes, such as TLS, SSH, code signing, email encryption, etc. Reference: https://developer.hashicorp.com/vault/docs/secrets/pki1, https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets


by Vince at Apr 06, 2025, 02:48 AM

Limited Time Offer

25%

Off

Get Premium HCVA0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Reuben
5 days ago
I remember practicing a similar question where we discussed the use of TTLs with secrets engines. Maybe the Key/Value engine could work, but I’m not confident about it.
upvoted 0 times
...
Floyd
11 days ago
I think the PKI option makes sense since it’s designed for managing certificates, but I'm not entirely sure if it's the best fit for reducing long-lived ones.
upvoted 0 times
...
Latonia
16 days ago
I'm a bit confused by this question. I'm not familiar with all the different secrets engines in Vault. I'll need to do some research on the options before I can make a confident decision.
upvoted 0 times
...
Leanna
22 days ago
The PKI secrets engine seems like the obvious choice to me. It's designed specifically for managing certificates, so it should be well-suited for this use case.
upvoted 0 times
...
Lajuana
27 days ago
Hmm, I'm not sure about this one. The question is a bit tricky. I'm leaning towards the Transit secrets engine, as it can be used to encrypt and decrypt data, which could potentially be used to replace the functionality of X.509 certificates.
upvoted 0 times
...
Laticia
1 months ago
I think the Key/Value secrets engine version 2 with TTL defined is the best option here. It allows us to manage short-lived secrets, which should help reduce the reliance on long-lived X.509 certificates.
upvoted 0 times
...
Gregoria
6 months ago
I'm picturing some poor sysadmin trying to wrangle those X.509 certificates, and I can't help but chuckle. B is the answer, let's put them out of their misery!
upvoted 0 times
...
Diego
6 months ago
Why even bother with the other choices? It's like trying to put lipstick on a pig. B is the clear winner, no doubt about it.
upvoted 0 times
Crista
5 months ago
B is the clear winner, no doubt about it.
upvoted 0 times
...
Yuette
5 months ago
D) Transit
upvoted 0 times
...
Fletcher
5 months ago
C) Cloud KMS
upvoted 0 times
...
Nelida
5 months ago
B) Key/Value secrets engine version 2, with TTL defined
upvoted 0 times
...
Barney
5 months ago
A) PKI
upvoted 0 times
...
...
Miss
6 months ago
Ooh, the Transit engine could be interesting, but I'm not trying to be a rocket scientist here. Gotta go with the simple and straightforward option, B baby!
upvoted 0 times
Dominga
5 months ago
User 3: Yeah, I agree. Let's keep it simple and go with option B.
upvoted 0 times
...
Verdell
5 months ago
User 2: Key/Value secrets engine version 2 with TTL defined sounds like the best option to me.
upvoted 0 times
...
Vincenza
6 months ago
User 1: I think PKI might be the way to go for this.
upvoted 0 times
...
...
Jerry
6 months ago
That makes sense, but I still think C) Cloud KMS could also be a good option for managing certificates securely.
upvoted 0 times
...
Elly
6 months ago
I disagree, I believe B) Key/Value secrets engine version 2 with TTL defined is the best choice as it allows for expiration of certificates.
upvoted 0 times
...
Darci
7 months ago
I mean, who needs long-lived certificates when you can just have Vault handle everything for you? B is the way to go, hands down.
upvoted 0 times
Lyda
5 months ago
Transit could also be a good option for this use case.
upvoted 0 times
...
Tiara
5 months ago
I think Key/Value secrets engine version 2 with TTL defined would be more efficient.
upvoted 0 times
...
Cheryl
6 months ago
But wouldn't PKI be a better option for managing certificates?
upvoted 0 times
...
Lashawnda
6 months ago
I agree, Vault can definitely handle everything for us.
upvoted 0 times
...
...
Jade
7 months ago
The Key/Value secrets engine version 2 with TTL defined sounds like the perfect solution to this use case. Definitely going with B!
upvoted 0 times
Lea
5 months ago
Let's go with B then, Key/Value secrets engine version 2 with TTL defined seems like the most efficient choice.
upvoted 0 times
...
Wilda
5 months ago
Cloud KMS could work, but I think Transit might not be the most suitable option for this initiative.
upvoted 0 times
...
Katina
5 months ago
PKI might be a good option too, but I think B is the best choice for this use case.
upvoted 0 times
...
Joni
5 months ago
I agree, using Key/Value secrets engine version 2 with TTL defined will help us achieve our goal.
upvoted 0 times
...
Dusti
5 months ago
Let's go with B then, Key/Value secrets engine version 2 with TTL defined seems like the most efficient choice.
upvoted 0 times
...
Carlton
6 months ago
Cloud KMS could work, but I think Transit might not be the most suitable option for this initiative.
upvoted 0 times
...
Aleisha
6 months ago
PKI might be a good option too, but I think B is the best choice for this use case.
upvoted 0 times
...
Dick
6 months ago
I agree, using Key/Value secrets engine version 2 with TTL defined will help us achieve our goal.
upvoted 0 times
...
...
Jerry
7 months ago
I think the best option is A) PKI because it deals with certificates.
upvoted 0 times
...

Save Cancel