Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HashiCorp HCVA0-003 Exam - Topic 4 Question 4 Discussion

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?
A) PKI
B) Key/Value secrets engine version 2, with TTL defined
C) Cloud KMS
D) Transit

HashiCorp HCVA0-003 Exam - Topic 4 Question 4 Discussion

Actual exam question for HashiCorp's HCVA0-003 exam
Question #: 4
Topic #: 4
[All HCVA0-003 Questions]

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

Show Suggested Answer Hide Answer
Suggested Answer: A

The PKI secrets engine is designed to support the use case of reducing and ultimately removing the use of long lived X.509 certificates. The PKI secrets engine can generate dynamic X.509 certificates on demand, with short time-to-live (TTL) and automatic revocation. This eliminates the need for manual processes of generating, signing, and rotating certificates, and reduces the risk of certificate compromise or misuse. The PKI secrets engine can also act as a certificate authority (CA) or an intermediate CA, and can integrate with external CAs or CRLs. The PKI secrets engine can issue certificates for various purposes, such as TLS, SSH, code signing, email encryption, etc. Reference: https://developer.hashicorp.com/vault/docs/secrets/pki1, https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets


by Vince at Apr 06, 2025, 01:48 AM

Limited Time Offer

25%

Off

Get Premium HCVA0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lajuana
6 months ago
PKI is the standard for this, no doubt about it!
upvoted 0 times
...
Marylin
6 months ago
I disagree, Cloud KMS might be a better fit for scalability.
upvoted 0 times
...
Rosina
6 months ago
Wait, are we really ditching X.509? That seems risky!
upvoted 0 times
...
Caren
6 months ago
I think B could work too, especially with TTL.
upvoted 0 times
...
Serina
6 months ago
Definitely going with A, PKI is the way to go!
upvoted 0 times
...
Esteban
7 months ago
I lean towards the PKI option too, but I wonder if Transit could be relevant in some way. It’s all a bit confusing with the different engines!
upvoted 0 times
...
Cherry
7 months ago
Cloud KMS sounds familiar, but I can't recall if it specifically addresses the issue of long-lived certificates. I feel like it might be more about key management than certificates.
upvoted 0 times
...
Reuben
7 months ago
I remember practicing a similar question where we discussed the use of TTLs with secrets engines. Maybe the Key/Value engine could work, but I’m not confident about it.
upvoted 0 times
...
Floyd
7 months ago
I think the PKI option makes sense since it’s designed for managing certificates, but I'm not entirely sure if it's the best fit for reducing long-lived ones.
upvoted 0 times
...
Latonia
8 months ago
I'm a bit confused by this question. I'm not familiar with all the different secrets engines in Vault. I'll need to do some research on the options before I can make a confident decision.
upvoted 0 times
...
Leanna
8 months ago
The PKI secrets engine seems like the obvious choice to me. It's designed specifically for managing certificates, so it should be well-suited for this use case.
upvoted 0 times
...
Lajuana
8 months ago
Hmm, I'm not sure about this one. The question is a bit tricky. I'm leaning towards the Transit secrets engine, as it can be used to encrypt and decrypt data, which could potentially be used to replace the functionality of X.509 certificates.
upvoted 0 times
...
Laticia
8 months ago
I think the Key/Value secrets engine version 2 with TTL defined is the best option here. It allows us to manage short-lived secrets, which should help reduce the reliance on long-lived X.509 certificates.
upvoted 0 times
...
Gregoria
1 year ago
I'm picturing some poor sysadmin trying to wrangle those X.509 certificates, and I can't help but chuckle. B is the answer, let's put them out of their misery!
upvoted 0 times
...
Diego
1 year ago
Why even bother with the other choices? It's like trying to put lipstick on a pig. B is the clear winner, no doubt about it.
upvoted 0 times
Crista
12 months ago
B is the clear winner, no doubt about it.
upvoted 0 times
...
Yuette
12 months ago
D) Transit
upvoted 0 times
...
Fletcher
12 months ago
C) Cloud KMS
upvoted 0 times
...
Nelida
1 year ago
B) Key/Value secrets engine version 2, with TTL defined
upvoted 0 times
...
Barney
1 year ago
A) PKI
upvoted 0 times
...
...
Miss
1 year ago
Ooh, the Transit engine could be interesting, but I'm not trying to be a rocket scientist here. Gotta go with the simple and straightforward option, B baby!
upvoted 0 times
Dominga
12 months ago
User 3: Yeah, I agree. Let's keep it simple and go with option B.
upvoted 0 times
...
Verdell
1 year ago
User 2: Key/Value secrets engine version 2 with TTL defined sounds like the best option to me.
upvoted 0 times
...
Vincenza
1 year ago
User 1: I think PKI might be the way to go for this.
upvoted 0 times
...
...
Jerry
1 year ago
That makes sense, but I still think C) Cloud KMS could also be a good option for managing certificates securely.
upvoted 0 times
...
Elly
1 year ago
I disagree, I believe B) Key/Value secrets engine version 2 with TTL defined is the best choice as it allows for expiration of certificates.
upvoted 0 times
...
Darci
1 year ago
I mean, who needs long-lived certificates when you can just have Vault handle everything for you? B is the way to go, hands down.
upvoted 0 times
Lyda
12 months ago
Transit could also be a good option for this use case.
upvoted 0 times
...
Tiara
12 months ago
I think Key/Value secrets engine version 2 with TTL defined would be more efficient.
upvoted 0 times
...
Cheryl
1 year ago
But wouldn't PKI be a better option for managing certificates?
upvoted 0 times
...
Lashawnda
1 year ago
I agree, Vault can definitely handle everything for us.
upvoted 0 times
...
...
Jade
1 year ago
The Key/Value secrets engine version 2 with TTL defined sounds like the perfect solution to this use case. Definitely going with B!
upvoted 0 times
Lea
1 year ago
Let's go with B then, Key/Value secrets engine version 2 with TTL defined seems like the most efficient choice.
upvoted 0 times
...
Wilda
1 year ago
Cloud KMS could work, but I think Transit might not be the most suitable option for this initiative.
upvoted 0 times
...
Katina
1 year ago
PKI might be a good option too, but I think B is the best choice for this use case.
upvoted 0 times
...
Joni
1 year ago
I agree, using Key/Value secrets engine version 2 with TTL defined will help us achieve our goal.
upvoted 0 times
...
Dusti
1 year ago
Let's go with B then, Key/Value secrets engine version 2 with TTL defined seems like the most efficient choice.
upvoted 0 times
...
Carlton
1 year ago
Cloud KMS could work, but I think Transit might not be the most suitable option for this initiative.
upvoted 0 times
...
Aleisha
1 year ago
PKI might be a good option too, but I think B is the best choice for this use case.
upvoted 0 times
...
Dick
1 year ago
I agree, using Key/Value secrets engine version 2 with TTL defined will help us achieve our goal.
upvoted 0 times
...
...
Jerry
1 year ago
I think the best option is A) PKI because it deals with certificates.
upvoted 0 times
...

Save Cancel