New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HashiCorp Vault-Associate Exam - Topic 7 Question 15 Discussion

Actual exam question for HashiCorp's Vault-Associate exam
Question #: 15
Topic #: 7
[All Vault-Associate Questions]

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

Show Suggested Answer Hide Answer
Suggested Answer: A

The command vault secrets enable transit enables the transit secrets engine at the transit path. The transit secrets engine is a secrets engine that handles cryptographic functions on data in-transit, such as encryption, decryption, signing, verification, hashing, and random bytes generation. The transit secrets engine does not store the data sent to it, but only performs the requested operations and returns the results. The transit secrets engine can also be viewed as ''cryptography as a service'' or ''encryption as a service''. The command vault secrets enable transit uses the default path of transit for the secrets engine, but this can be changed by using the -path option. For example, vault secrets enable -path=my-transit transit would enable the transit secrets engine at the my-transit path.Reference:Transit - Secrets Engines | Vault | HashiCorp Developer,vault secrets enable - Command | Vault | HashiCorp Developer


by Ciara at Apr 28, 2024, 11:05 AM

Limited Time Offer

25%

Off

Get Premium Vault-Associate Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Quentin
3 months ago
Transit is not suitable for this use case, just saying.
upvoted 0 times
...
Theron
3 months ago
Wait, are we really removing long-lived certs? Sounds risky!
upvoted 0 times
...
Chara
3 months ago
Cloud KMS? Really? That seems like an odd choice for this.
upvoted 0 times
...
Adolph
4 months ago
I think Key/Value with TTL could work too, but not as effective.
upvoted 0 times
...
Vanesa
4 months ago
PKI is definitely the way to go for managing X.509 certs.
upvoted 0 times
...
Vernell
4 months ago
Transit seems more focused on encryption rather than certificate management, so I don't think it would be the right choice for this scenario.
upvoted 0 times
...
Kenda
4 months ago
Cloud KMS sounds familiar, but I can't recall if it directly relates to X.509 certificates. I might lean towards PKI based on what we practiced.
upvoted 0 times
...
Raina
4 months ago
I think the Key/Value secrets engine could work, especially with TTL settings, but I feel like it might not be as effective for managing X.509 certificates specifically.
upvoted 0 times
...
Nidia
5 months ago
I remember studying about PKI and how it can automate certificate management, but I'm not entirely sure if it's the best fit for reducing long-lived certificates.
upvoted 0 times
...
Flo
5 months ago
I'm a bit confused by this question. I'm not sure which secrets engine would be the best fit to replace long-lived X.509 certificates. I'll need to carefully read through the options and think about the requirements.
upvoted 0 times
...
Nu
5 months ago
I think the Transit secrets engine could be a good choice here. It can encrypt and decrypt data, which could include short-lived certificates. I'll need to research the capabilities further.
upvoted 0 times
...
Chan
5 months ago
The PKI secrets engine looks promising since it can issue certificates. But I wonder if the Key/Value secrets engine with TTL might also work, since it can store short-lived secrets.
upvoted 0 times
...
Blondell
5 months ago
Hmm, I'm not sure which secrets engine would be the best fit here. I'll need to review the details of each option to determine which one can handle this use case.
upvoted 0 times
...
Lili
5 months ago
This question seems straightforward - the key is to find a secrets engine that can issue short-lived certificates to replace the long-lived X.509 ones.
upvoted 0 times
...
Eulah
5 months ago
Correlation rules! That's the one that looks for relationships between multiple events within a specified time window. I'm confident that's the right answer.
upvoted 0 times
...
Adolph
5 months ago
I'm a bit confused on the other options. Increasing the money supply and reducing interest rates - how would those help reduce the deficit? I'll need to review those concepts.
upvoted 0 times
...
Viki
5 months ago
I'm a little confused by this question. The options seem to be getting at different aspects of the control infrastructure, but I'm not sure I fully understand the nuance between them. I'll need to review my notes and think through the concepts more carefully before answering.
upvoted 0 times
...
Lemuel
10 months ago
Ugh, certificates and their expiration dates. I'd rather just use B) and let Vault handle the hassle for me. Less paperwork, more coding!
upvoted 0 times
Eva
9 months ago
I think using option B) is the best choice for reducing the use of long lived X.509 certificates.
upvoted 0 times
...
Willard
9 months ago
Yeah, Vault can handle the expiration dates for us, so we can focus on coding instead of dealing with certificates.
upvoted 0 times
...
Maryann
9 months ago
I agree, using the Key/Value secrets engine version 2 with TTL defined would definitely make things easier.
upvoted 0 times
...
...
Rashida
10 months ago
This is a tricky one, but B) is the way to go. I'm glad I don't have to worry about long-lived certificates - that sounds like a real headache!
upvoted 0 times
James
8 months ago
Transit might be a good option too, but B) seems to be the most appropriate choice for this specific initiative.
upvoted 0 times
...
Lindsey
9 months ago
PKI might be a common choice, but in this case, B) is more suitable for reducing and removing long-lived X.509 certificates.
upvoted 0 times
...
Chaya
9 months ago
Long-lived certificates can definitely be a headache, but with the right secrets engine, it can be managed effectively.
upvoted 0 times
...
Daryl
10 months ago
I agree, B) Key/Value secrets engine version 2 with TTL defined is the best option for this use case.
upvoted 0 times
...
...
Paris
10 months ago
Hmm, I was leaning towards C) Cloud KMS, but the key requirement is to use a secrets engine, not a cloud service. B) it is!
upvoted 0 times
...
Kristal
10 months ago
That's a good point, Maira. Option B could provide better control over the lifecycle of the certificates.
upvoted 0 times
...
Maira
10 months ago
I disagree, I believe option B) Key/Value secrets engine version 2 with TTL defined would be more flexible and easier to manage in the long run.
upvoted 0 times
...
Kristal
10 months ago
I think the best option is A) PKI because it is specifically designed for managing X.509 certificates.
upvoted 0 times
...
Royce
10 months ago
I see your point, but I think D) Transit would be the most secure option for removing long lived X.509 certificates.
upvoted 0 times
...
Bong
11 months ago
I disagree, I believe B) Key/Value secrets engine version 2 with TTL defined is the best choice as it allows for expiration of certificates.
upvoted 0 times
...
Bethanie
11 months ago
I think the best option is A) PKI because it deals with certificates.
upvoted 0 times
...
Blair
11 months ago
I was initially drawn to A) PKI, but the question specifically asks for the secrets engine that best supports the use case. B) is the clear winner here.
upvoted 0 times
Silvana
9 months ago
Great, let's go with B) Key/Value secrets engine version 2.
upvoted 0 times
...
Margot
9 months ago
I see your point, B) it is then.
upvoted 0 times
...
Dusti
10 months ago
I agree, B) is definitely the most suitable option for this use case.
upvoted 0 times
...
Marsha
10 months ago
I think B) Key/Value secrets engine version 2, with TTL defined is the best choice.
upvoted 0 times
...
Jesus
10 months ago
I agree, but B) Key/Value secrets engine version 2 with TTL defined is the best choice.
upvoted 0 times
...
Orville
10 months ago
I think A) PKI is a good option.
upvoted 0 times
...
...
Ora
11 months ago
B) Key/Value secrets engine version 2, with TTL defined seems like the best option to support the initiative to reduce long-lived X.509 certificates. The ability to set a TTL aligns with the goal of removing long-lived certificates.
upvoted 0 times
...

Save Cancel