nerdexam
ExamsVAULT-ASSOCIATE-002Questions#30
HashiCorpHashiCorp

VAULT-ASSOCIATE-002 · Question #30

VAULT-ASSOCIATE-002 Question #30: Real Exam Question with Answer & Explanation

The correct answer is B: PKI. The PKI (Public Key Infrastructure) secrets engine in Vault is specifically designed to function as a certificate authority, capable of generating, signing, and revoking X.509 certificates.

Submitted by paula_co· Apr 18, 2026Understand Vault Concepts

Question

Which Vault secret engine may be used to build your own internal certificate authority?

Options

  • ATransit
  • BPKI
  • CPostgreSQL
  • DGeneric

Explanation

The PKI (Public Key Infrastructure) secrets engine in Vault is specifically designed to function as a certificate authority, capable of generating, signing, and revoking X.509 certificates.

Common mistakes.

  • A. The Transit secrets engine is used for cryptographic functions like encryption, decryption, and signing of arbitrary data, but it does not manage X.509 certificates or function as a CA.
  • C. The PostgreSQL secrets engine dynamically generates database credentials for PostgreSQL databases, not X.509 certificates.
  • D. The Generic secrets engine (KV secrets engine) is for storing arbitrary static secrets; it does not have the built-in functionality to operate as a CA.

Concept tested. Vault PKI secrets engine purpose

Reference. https://developer.hashicorp.com/vault/docs/secrets/pki

Topics

#Secret Engines#PKI Secret Engine#Certificate Authority

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full VAULT-ASSOCIATE-002 PracticeBrowse All VAULT-ASSOCIATE-002 Questions