Security
Automation Certification
HashiCorp offers certifications to validate your Security Automation skills with Vault and Consul. There are two levels of Vault exams. Start with the Vault Associate certification, which validates your foundational knowledge of Vault. Continue your journey with the Professional lab-based exam to prove your extensive production experience. For Consul, take the Associate certification to showcase your skills in building, securing, and maintaining Consul.
Vault Associate (002)
The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with Vault. You understand what Vault Enterprise features exist and can differentiate between Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.
Vault Associate (002) Details
- Basic terminal skills
- Basic understanding of on premise or cloud architecture
- Basic level of security understanding
| Assessment Type | Multiple choice |
| Format | Online proctored |
| Duration | 1 hour |
| Price | $70.50 USD, plus locally applicable taxes and fees. Free retake not included. |
| Language | English |
| Expiration | 2 years |
| 1 | Compare authentication methods |
|---|---|
| 1a | Describe authentication methods |
| 1b | Choose an authentication method based on use case |
| 1c | Differentiate human vs. system auth methods |
| 2 | Create Vault policies |
|---|---|
| 2a | Illustrate the value of Vault policy |
| 2b | Describe Vault policy syntax: path |
| 2c | Describe Vault policy syntax: capabilities |
| 2d | Craft a Vault policy based on requirements |
| 3 | Assess Vault tokens |
|---|---|
| 3a | Describe Vault token |
| 3b | Differentiate between service and batch tokens. Choose one based on use-case |
| 3c | Describe root token uses and lifecycle |
| 3d | Define token accessors |
| 3e | Explain time-to-live |
| 3f | Explain orphaned tokens |
| 3g | Create tokens based on need |
| 4 | Manage Vault leases |
|---|---|
| 4a | Explain the purpose of a lease ID |
| 4b | Renew leases |
| 4c | Revoke leases |
| 5 | Compare and configure Vault secrets engines |
|---|---|
| 5a | Choose a secret method based on use case |
| 5b | Contrast dynamic secrets vs. static secrets and their use cases |
| 5c | Define transit engine |
| 5d | Define secrets engines |
| 6 | Utilize Vault CLI |
|---|---|
| 6a | Authenticate to Vault |
| 6b | Configure authentication methods |
| 6c | Configure Vault policies |
| 6d | Access Vault secrets |
| 6e | Enable Secret engines |
| 6f | Configure environment variables |
| 7 | Utilize Vault UI |
|---|---|
| 7a | Authenticate to Vault |
| 7b | Configure authentication methods |
| 7c | Configure Vault policies |
| 7d | Access Vault secrets |
| 7e | Enable Secret engines |
| 8 | Be aware of the Vault API |
|---|---|
| 8a | Authenticate to Vault via Curl |
| 8b | Access Vault secrets via Curl |
| 9 | Explain Vault architecture |
|---|---|
| 9a | Describe the encryption of data stored by Vault |
| 9b | Describe cluster strategy |
| 9c | Describe storage backends |
| 9d | Describe the Vault agent |
| 9e | Describe secrets caching |
| 9f | Be aware of identities and groups |
| 9g | Describe Shamir secret sharing and unsealing |
| 9h | Be aware of replication |
| 9i | Describe seal/unseal |
| 9j | Explain response wrapping |
| 9k | Explain the value of short-lived, dynamically generated secrets |
| 10 | Explain encryption as a service |
|---|---|
| 10a | Configure transit secret engine |
| 10b | Encrypt and decrypt secrets |
| 10c | Rotate the encryption key |
Visit the Exam-taker Handbook to learn about the requirements and policies for taking exams.
To renew your Vault Associate certification, you will need to take and pass the Vault Associate or Vault Operations Professional exam.
If you hold an unexpired Vault Associate certification there are two ways to recertify:
- You can take the same Vault Associate exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.
- You can take the Vault Professional level exam starting 18 months after your previous exam date. When you pass the exam, you will receive a new set of credentials for the Vault Professional certification, and the expiration date will be extended on your Vault Associate credentials.
If you hold an expired Vault Associate certification: You can take the same Vault Associate exam again at any time. When you pass the exam, you will receive a new, second set of credentials with a new expiration date.
Vault Operations Professional
The Vault Operations Professional exam is a lab-based exam for Cloud Engineers focused on deploying, configuring, managing, and monitoring HashiCorp Vault. You are well-qualified to take this exam if you hold the Vault Associate Certification (or equivalent knowledge, have experience operating Vault in production, and can evaluate Vault Enterprise functionality and use cases
Vault Operations Professional Details
We strongly recommend passing the associate-level Vault exam before taking the professional-level exam. Practitioners who are already experienced with Vault operations in a production environment—and understand the concepts covered in the associate exam— may be able to successfully pass the professional-level exam.
- HashiCorp Certified: Vault Associate Certification (recommended)
- Linux skills such as list and edit files via command terminal
- Understanding of IP networking
- Experience with Public Key Infrastructure (PKI), including PGP and TLS
- Information security fundamentals such as network security and RBAC
- Understand the concepts and functionality of infrastructure running in containers including starting and stopping services, and reading logs
| Assessment Type | Lab-based and multiple choice |
| Format | Online proctored |
| Duration | 4 hours; 15-minute break included |
| Price | $295 USD, plus locally applicable taxes and fees. Includes free retake. |
| Language | English |
| Expiration | 2 years |
| 1 | Create a working Vault server configuration given a scenario |
|---|---|
| 1a | Enable and configure secret engines |
| 1b | Practice production hardening |
| 1c | Auto unseal Vault |
| 1d | Implement integrated storage for Community and Enterprise Vault |
| 1e | Enable and configure authentication methods |
| 1f | Practice secure Vault initialization |
| 1g | Regenerate a root token |
| 1h | Rekey Vault and rotate encryption keys |
| 2 | Monitor a Vault environment |
|---|---|
| 2a | Monitor and understand Vault telemetry |
| 2b | Monitor and understand Vault audit logs |
| 2c | Monitor and understand Vault operational logs |
| 3 | Employ the Vault security model |
|---|---|
| 3a | Describe secure introduction of Vault clients |
| 3b | Describe the security implications of running Vault in Kubernetes |
| 4 | Build fault-tolerant Vault environments |
|---|---|
| 4a | Configure a highly available (HA) cluster |
| 4b | [Vault Enterprise] Enable and configure disaster recovery (DR) replication |
| 4c | [Vault Enterprise] Promote a secondary cluster |
| 5 | Understand the hardware security module (HSM) integration |
|---|---|
| 5a | [Vault Enterprise] Describe the benefits of auto unsealing with HSM |
| 5b | [Vault Enterprise] Describe the benefits and use cases of seal wrap (PKCS#11) |
| 6 | Scale Vault for performance |
|---|---|
| 6a | Use batch tokens |
| 6b | [Vault Enterprise] Describe the use cases of performance standby nodes |
| 6c | [Vault Enterprise] Enable and configure performance replication |
| 6d | [Vault Enterprise] Create a paths filter |
| 7 | Configure access control |
|---|---|
| 7a | Interpret Vault identity entities and groups |
| 7b | Write, deploy, and troubleshoot ACL policies |
| 7c | [Vault Enterprise] Understand Sentinel policies |
| 7d | [Vault Enterprise] Define control groups and describe their basic workflow |
| 7e | [Vault Enterprise] Describe and interpret multi-tenancy with namespaces |
| 8 | Configure Vault Agent |
|---|---|
| 8a | Securely configure auto-auth and token sink |
| 8b | Configure templating |
This performance-based exam contains labs that must be completed in a virtual environment, and a shorter multiple-choice section. During the lab scenarios, exam-takers will be tested on performing real-world Vault operational tasks on the command line. The Vault UI and API can also be used where applicable, and exam-takers will have access to the Vault and Vault API documentation.
Visit the Exam-taker Handbook to learn about the requirements and policies for taking exams.
To renew your Vault Professional certification, you will need to take and pass the Vault Professional exam.
If you hold an unexpired Vault Professional certification: You can take the exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.
If you hold an expired Vault Professional certification: You are eligible to recertify at any time. When you pass the exam again, you will receive a new, separate set of credentials with a new expiration date.
Consul Associate (003)
The Consul Associate Certification is for site reliability engineers (SREs), solutions architects (SAs), DevOps professionals, or other cloud engineers who know the basic concepts and skills to build, secure, and maintain Consul. You understand what Enterprise features exist and can differentiate between Consul Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Consul in production, but performing the exam objectives in a personal demo environment may be sufficient.
Consul Associate (003) Details
- Containerization
- Basic terminal skills
- Load balancing architecture
- Distributed systems knowledge
- Basic security practices knowledge
- OSI Model familiarity
- Cloud & Platform awareness (AWS, Google, Azure, Kubernetes, VMs)
| Assessment Type | Multiple choice |
| Format | Online proctored |
| Duration | 1 hour |
| Price | $70.50 USD, plus locally applicable taxes and fees. Free retake not included. |
| Language | English |
| Expiration | 2 years |
| 1 | Understand the pillars of service networking |
|---|---|
| 1a | Understand how Consul discovers, tracks, and monitors the health of services |
| 1b | Explain how Consul secures service to service communication |
| 1c | Summarize how Consul controls access to services at point of entry |
| 1d | Discuss how Consul automates networking tasks |
| 2 | Describe Consul architecture |
|---|---|
| 2a | Identify Consul datacenter components including agents and communication protocols |
| 2b | Review Consul server high availability & scalability options |
| 2c | Differentiate between server agents and data plane components (client agents and Consul Dataplane) |
| 2d | Understand that Consul can run on multiple platforms |
| 3 | Deploy a single datacenter |
|---|---|
| 3a | Configure, bootstrap, and start Consul server agents |
| 3b | Configure and start Consul client agents |
| 3c | Configure and start Consul on Kubernetes |
| 3d | Explain Consul agent join methods and behavior |
| 4 | Register services and use service discovery |
|---|---|
| 4a | Interpret a service registration |
| 4b | Differentiate between service registration methods |
| 4c | Understand service health check configuration options and behaviors |
| 4d | Query Consul's service catalog via CLI, API, UI, and/or DNS, and interpret the results |
| 4e | Interpret & use prepared queries |
| 5 | Use Consul service mesh |
|---|---|
| 5a | Consider high level architecture & key benefits of Consul service mesh |
| 5b | Understand Consul service mesh intentions & when to use them |
| 5c | Apply proxy configuration options within Consul service mesh |
| 6 | Secure agent communication |
|---|---|
| 6a | Understand Consul security/threat model |
| 6b | Differentiate certificate types needed for TLS encryption |
| 6c | Interpret TLS encryption settings & intended use |
| 6d | Configure gossip encryption |
| 7 | Secure services with basic access control lists (ACLs) |
|---|---|
| 7a | Understand Consul ACL system components and usage |
| 7b | Create and configure ACL policies and tokens |
| 7c | Use ACL tokens to communicate securely with Consul services and agents |
| 8 | Secure and connect service mesh applications |
|---|---|
| 8a | Use Consul gateways to securely connect and access services into, out of, and within the service mesh |
| 8b | Understand how to enable communication between multiple Consul datacenters |
| 9 | Monitor Consul |
|---|---|
| 9a | Describe Consul service mesh observability |
| 9b | Review Consul datacenter observability |
| 10 | Operate and maintain Consul |
|---|---|
| 10a | Manage Consul servers |
| 10b | Maintain Consul communications security |
| 10c | Backup and restore Consul cluster state |
| 10d | Understand Consul datacenter troubleshooting options |
Visit the exam appointment rules and requirements page.
To renew any Consul Associate certification, you will need to take and pass the new Consul Associate 003 exam.
If you hold an unexpired Consul Associate 002 certification: You can take the new (003) exam starting 18 months after your previous exam date. When you pass the Consul Associate 003 exam to recertify, you will receive a new, separate set of credentials (badge and corresponding certificate) that will reflect your recertification date. The date of your credentials related to your Consul Associate 002 certification will not be updated.
If you hold an unexpired Consul Associate 003 certification: You can take the new exam starting 18 months after your previous exam date. When you pass the new exam, the expiration date on your credentials will be extended.
If you hold any expired Consul Associate certification: You are eligible to recertify at any time. When you pass the new exam, you will receive a new, separate set of credentials with a new expiration date.
Content Differences Between the 002 and 003 exams
We updated the Consul Associate 003 exam to account for how Condul has grown, and to accommodate future growth. The changes are primarily a reorganization and rewording of the 002 exam objectives. More significant changes are listed below.
| (002) objectives NOT covered in (003) | |
|---|---|
| 4 | Access the Consul key/value (KV) |
| (002) objectives now covered within other objectives in (003) | |
|---|---|
| 1 | Explain Consul Architecture |
| 2 | Deploy a single datacenter |
| 7 | Secure agent communication |
| 9 | Use gossip encryption |
| NEW objectives in (003) | |
|---|---|
| 1c | Summarize how Consul controls access to services at point of entry |
| 1d | Discuss how Consul automates networking tasks |
| 2d | Understand that Consul can run on multiple platforms |
| 3c | Configure and start Consul on Kubernetes |
| 8 | Secure and connect service mesh applications at scale |
| 9 | Monitor Consul |
Stay Informed
Sign up to be notified with updates to the HashiCorp Product Certifications program and to receive news and information about HashiCorp products.