HashiCorp Certified: Vault Associate (002) — Question 26

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

Answer options

• A. PKI
• B. Key/Value secrets engine version 2, with TTL defined
• C. Cloud KMS
• D. Transit

Correct answer: A

Explanation

The PKI secrets engine is specifically designed to manage dynamic X.509 certificates, making it the ideal choice for this initiative. Other options like Key/Value secrets engine and Transit do not inherently support certificate lifecycle management, while Cloud KMS focuses more on key management rather than certificate issuance.