HCVA0-003 Practice Questions

Comprehensive and Detailed in Depth Explanation:

A: Dev mode is faster to deploy; incorrect.

B: Production uses persistent storage vs. dev’s in-memory. Correct.

C: Auth methods work in both modes. Incorrect.

D: Production enables TLS; dev uses plaintext. Correct.

Overall Explanation from Vault Docs:

“Dev server mode stores data in memory… Production mode supports persistent storage and TLS encryption.”

Comprehensive and Detailed in Depth Explanation:

The PKI secrets engine in Vault generates dynamic X.509 certificates, acting as a certificate authority (CA) to streamline certificate management. Let’s assess each option based on its documented benefits:

Option A: TTLs on Vault certs are longer to ensure certificates are valid for a longer period of time This is misleading. Vault’s PKI engine allows configurable TTLs, but the recommendation is for short TTLs (e.g., hours or days) to reduce the need for revocation and enhance security. Long TTLs increase exposure if a certificate is compromised, requiring revocation and larger Certificate Revocation Lists (CRLs). The engine’s benefit isn’t longer validity—it’s flexibility and automation, not extended lifetimes. Incorrect. Vault Docs Insight: “By keeping TTLs relatively short, revocations are less likely… helping scale to large workloads.” (Short TTLs are preferred.)

Option B: Reducing, or eliminating certificate revocations A key advantage of the PKI engine is issuing short-lived certificates. With short TTLs (e.g., 24h), certificates expire naturally before revocation is needed, minimizing CRL maintenance. For example, an app can fetch a new cert daily, reducing revocation events compared to traditional multi-year certs. This aligns with Vault’s ephemeral certificate model. Correct. Vault Docs Insight: “By keeping TTLs relatively short, revocations are less likely to be needed, keeping CRLs short…” (Direct benefit.)

Option C: Reduces time to get a certificate by eliminating the need to generate a private key and CSR Traditionally, obtaining a certificate involves generating a private key, creating a Certificate Signing Request (CSR), and submitting it to a CA—a manual, time-consuming process. The PKI engine automates this: vault write pki/issue/my-role common_name=app.example.com instantly generates a private key and signed certificate. This eliminates manual steps, speeding up issuance significantly. Correct. Vault Docs Insight: “Services can get certificates without… generating a private key and CSR, submitting to a CA, and waiting…” (Automation reduces time.)

Option D: Vault can act as an intermediate CA The PKI engine can be configured as an intermediate CA, signed by a root CA (internal or external). For example, vault write pki/intermediate/generate/internal common_name= " Intermediate CA " creates an intermediate, which can issue certificates under a trust chain. This supports hierarchical PKI setups, a major feature. Correct. Vault Docs Insight: “The PKI secrets engine can act as an intermediate CA… issuing certificates on behalf of a root C

A.  

” (Explicit capability.)

Detailed Mechanics:

The PKI engine operates at paths like pki/ (root) or pki_int/ (intermediate). Roles (e.g., my-role) define parameters like TTL and allowed domains. Issuing a cert (vault write pki/issue/my-role…) returns a JSON payload with certificate, private_key, and issuing_ca. Short TTLs leverage Vault’s lease system, auto-revoking certs on expiry. As an intermediate CA, it signs certificates with its key, validated against a root, enhancing trust management.

Real-World Example:

An app needs a cert: vault write pki/issue/web common_name=web.example.com ttl=24h. Vault returns a cert and key instantly, valid for 24 hours. No CSR, no revocation needed—expires tomorrow. Another PKI mount at pki_int/ issues certs under a corporate root C

A.  

Overall Explanation from Vault Docs:

“The PKI secrets engine generates dynamic X.509 certificates… Services can get certificates without the usual manual process… By keeping TTLs short, revocations are less likely… Vault can act as an intermediate CA, issuing certificates efficiently.” These benefits—automation, reduced revocation, and CA flexibility—define its value.

Comprehensive and Detailed in Depth Explanation:

Token renewal extends a token’s TTL. Let’s evaluate:

A: TTL - Defines expiration time, not used for renewal. Incorrect.

B: Token ID - The token’s unique identifier; can be specified to renew it (e.g., vault token renew < token-id > ). Correct.

C: Identity policy - Relates to access control, not renewal. Incorrect.

D: Token accessor - A unique identifier for operations like renewal without exposing the token (e.g., vault token renew -accessor < accessor > ). Correct.

Overall Explanation from Vault Docs:

“Tokens can be renewed with vault token renew using either the token ID or accessor… TTL is not an attribute for renewal.”