HashiCorp offers certifications to validate your Security Automation skills with Vault and Consul. There are two levels of Vault exams. Start with the Vault Associate certification, which validates your foundational knowledge of Vault. Continue your journey with the Professional lab-based exam to prove your extensive production experience. For Consul, take the Associate certification to showcase your skills in building, securing, and maintaining Consul.
Vault Associate 002 is currently available but will be replaced by Vault Associate 003 in January 2025. Compare the differences between the 002 and 003 exam versions below. The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with Vault. You understand what Vault Enterprise features exist and can differentiate between Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.
The Vault Associate 002 exam will be replaced by the Vault Associate 003 exam version in January 2025.
Advanced scheduling is now available for Vault Associate 003.
The new Vault Associate 003 exam accounts for how Vault has evolved since we released the (002) exam version.
Both exams are valid ways to verify your Vault knowledge at the associate level. Either should be accepted as validation of Vault knowledge until the credential's expiration date.
Take (002) if
Take (003) if
Exam updates summary:
New topics covered in (003):
Review the full list of objectives below.
Assessment Type | Multiple choice |
Format | Online proctored |
Duration | 1 hour |
Price | $70.50 USD, plus locally applicable taxes and fees. Free retake not included. |
Language | English |
Expiration | 2 years |
1 | Compare authentication methods |
---|---|
1a | Describe authentication methods |
1b | Choose an authentication method based on use case |
1c | Differentiate human vs. system auth methods |
2 | Create Vault policies |
---|---|
2a | Illustrate the value of Vault policy |
2b | Describe Vault policy syntax: path |
2c | Describe Vault policy syntax: capabilities |
2d | Craft a Vault policy based on requirements |
3 | Assess Vault tokens |
---|---|
3a | Describe Vault token |
3b | Differentiate between service and batch tokens. Choose one based on use-case |
3c | Describe root token uses and lifecycle |
3d | Define token accessors |
3e | Explain time-to-live |
3f | Explain orphaned tokens |
3g | Create tokens based on need |
4 | Manage Vault leases |
---|---|
4a | Explain the purpose of a lease ID |
4b | Renew leases |
4c | Revoke leases |
5 | Compare and configure Vault secrets engines |
---|---|
5a | Choose a secret method based on use case |
5b | Contrast dynamic secrets vs. static secrets and their use cases |
5c | Define transit engine |
5d | Define secrets engines |
6 | Utilize Vault CLI |
---|---|
6a | Authenticate to Vault |
6b | Configure authentication methods |
6c | Configure Vault policies |
6d | Access Vault secrets |
6e | Enable Secret engines |
6f | Configure environment variables |
7 | Utilize Vault UI |
---|---|
7a | Authenticate to Vault |
7b | Configure authentication methods |
7c | Configure Vault policies |
7d | Access Vault secrets |
7e | Enable Secret engines |
8 | Be aware of the Vault API |
---|---|
8a | Authenticate to Vault via Curl |
8b | Access Vault secrets via Curl |
9 | Explain Vault architecture |
---|---|
9a | Describe the encryption of data stored by Vault |
9b | Describe cluster strategy |
9c | Describe storage backends |
9d | Describe the Vault agent |
9e | Describe secrets caching |
9f | Be aware of identities and groups |
9g | Describe Shamir secret sharing and unsealing |
9h | Be aware of replication |
9i | Describe seal/unseal |
9j | Explain response wrapping |
9k | Explain the value of short-lived, dynamically generated secrets |
10 | Explain encryption as a service |
---|---|
10a | Configure transit secret engine |
10b | Encrypt and decrypt secrets |
10c | Rotate the encryption key |
Review the rules and policies for taking HashiCorp certification exams.
Unexpired Vault Associate 002 or 003 credentials:
When you pass the Vault Operations Professional exam, you will receive the professional-level credentials (badge and corresponding certificate). You will also extend the expiration of your Vault Associate 002 or 003 credentials.
Unexpired Vault Associate 002 credential:
Unexpired Vault Associate 003 credential:
Learn more about recertification in our Knowledgebase.
Vault Associate 003 is a new version of the Vault Associate exam. Compare the differences between the 002 and 003 exam versions below. The Vault Associate 003 is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with Vault. You will be best prepared for this exam if you have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.
The Vault Associate 002 exam will be replaced by the Vault Associate 003 exam version in January 2025.
Advanced scheduling is now available for Vault Associate 003.
The new Vault Associate 003 exam accounts for how Vault has evolved since we released the (002) exam version.
Both exams are valid ways to verify your Vault knowledge at the associate level. Either should be accepted as validation of Vault knowledge until the credential's expiration date.
Take (002) if
Take (003) if
Exam updates summary:
New topics covered in (003):
Review the full list of objectives below.
Assessment Type | Multiple choice |
Format | Online proctored |
Duration | 1 hour |
Price | $70.50 USD, plus locally applicable taxes and fees. Free retake not included. |
Language | English |
Expiration | 2 years |
1 | Authentication methods |
1a | Define the purpose of authentication methods |
1b | Choose an authentication method based on use case |
1c | Explain the difference between human vs. system authentication methods |
1d | Define the purpose of identities and groups |
1e | Authenticate to Vault using the API, CLI, and UI |
1f | Configure authentication methods using the API, CLI, and UI |
2 | Vault policies |
2a | Explain the value of Vault policies |
2b | Describe Vault policy syntax: path |
2c | Describe Vault policy syntax: capabilities |
2d | Choose a Vault policy based on requirements |
2e | Configure Vault policies using the UI and CLI |
3 | Vault tokens |
3a | Choose between service and batch tokens based on use case |
3b | Describe root token uses and lifecycle |
3c | Explain the purpose of token accessors |
3d | Explain the impact of time-to-live |
3e | Explain orphaned tokens |
3f | Describe how to create tokens based on need |
4 | Vault leases |
4a | Explain the purpose of a lease ID |
4b | Describe how to renew leases |
4c | Describe how to revoke leases |
5 | Secrets engines |
5a | Choose a secrets engine based on use case |
5b | Compare and contrast dynamic secrets vs. static secrets, and know their use cases |
5c | Describe the uses of transit secrets engine |
5d | Describe the purpose of secrets engines |
5e | Describe the use of response wrapping |
5f | Explain the value of short-lived, dynamically generated secrets |
5g | Enable secrets engines using the CLI and UI |
5h | Access Vault secrets using the CLI, API, and UI |
6 | Encryption as a service |
6a | Encrypt and decrypt secrets |
6b | Rotate the encryption key |
7 | Vault deployment architecture |
7a | Describe how Vault encrypts data |
7b | Explain how to seal and unseal Vault |
7c | Configure environment variables |
8 | Vault deployment architecture |
8a | Explain cluster strategy for self-managed and HashiCorp-managed Vault clusters |
8b | Explain the uses of storage backends |
8c | Explain the uses of Shamir secret sharing and unsealing |
8d | Explain the uses of disaster recovery and performance replication |
8e | Differentiate between self-managed and HashiCorp-managed Vault clusters |
9 | Access management architecture |
9a | Describe the Vault Agent |
9b | Describe the Vault Secrets Operator |
Review the rules and policies for taking HashiCorp certification exams.
Unexpired Vault Associate 002 or 003 credentials:
When you pass the Vault Operations Professional exam, you will receive the professional-level credentials (badge and corresponding certificate). You will also extend the expiration of your Vault Associate 002 or 003 credentials.
Unexpired Vault Associate 002 credential:
Unexpired Vault Associate 003 credential:
Learn more about recertification in our Knowledgebase.
The Vault Operations Professional certification is a lab-based exam for Cloud Engineers focused on deploying, configuring, managing, and monitoring HashiCorp Vault. You are well-qualified to take this exam if you hold the Vault Associate Certification (or equivalent knowledge), have experience operating Vault in production, and can evaluate Vault Enterprise functionality and use cases.
We strongly recommend passing the associate-level Vault exam before taking the professional-level exam. Practitioners who are already experienced with Vault operations in a production environment—and understand the concepts covered in the associate exam— may be able to successfully pass the professional-level exam.
Assessment Type | Lab-based and multiple choice |
Format | Online proctored |
Duration | 4 hours; 15-minute break included |
Price | $295 USD, plus locally applicable taxes and fees. Includes free retake. |
Language | English |
Expiration | 2 years |
1 | Create a working Vault server configuration given a scenario |
---|---|
1a | Enable and configure secret engines |
1b | Practice production hardening |
1c | Auto unseal Vault |
1d | Implement integrated storage for Community and Enterprise Vault |
1e | Enable and configure authentication methods |
1f | Practice secure Vault initialization |
1g | Regenerate a root token |
1h | Rekey Vault and rotate encryption keys |
2 | Monitor a Vault environment |
---|---|
2a | Monitor and understand Vault telemetry |
2b | Monitor and understand Vault audit logs |
2c | Monitor and understand Vault operational logs |
3 | Employ the Vault security model |
---|---|
3a | Describe secure introduction of Vault clients |
3b | Describe the security implications of running Vault in Kubernetes |
4 | Build fault-tolerant Vault environments |
---|---|
4a | Configure a highly available (HA) cluster |
4b | [Vault Enterprise] Enable and configure disaster recovery (DR) replication |
4c | [Vault Enterprise] Promote a secondary cluster |
5 | Understand the hardware security module (HSM) integration |
---|---|
5a | [Vault Enterprise] Describe the benefits of auto unsealing with HSM |
5b | [Vault Enterprise] Describe the benefits and use cases of seal wrap (PKCS#11) |
6 | Scale Vault for performance |
---|---|
6a | Use batch tokens |
6b | [Vault Enterprise] Describe the use cases of performance standby nodes |
6c | [Vault Enterprise] Enable and configure performance replication |
6d | [Vault Enterprise] Create a paths filter |
7 | Configure access control |
---|---|
7a | Interpret Vault identity entities and groups |
7b | Write, deploy, and troubleshoot ACL policies |
7c | [Vault Enterprise] Understand Sentinel policies |
7d | [Vault Enterprise] Define control groups and describe their basic workflow |
7e | [Vault Enterprise] Describe and interpret multi-tenancy with namespaces |
8 | Configure Vault Agent |
---|---|
8a | Securely configure auto-auth and token sink |
8b | Configure templating |
This performance-based exam contains labs that must be completed in a virtual environment, and a shorter multiple-choice section. During the lab scenarios, exam-takers will be tested on performing real-world Vault operational tasks on the command line. The Vault UI and API can also be used where applicable, and exam-takers will have access to the Vault and Vault API documentation.
Review the requirements and policies for taking exams.
To renew your Vault Professional certification, you will need to take and pass the Vault Professional exam.
If you hold an unexpired Vault Professional certification: You can take the exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.
If you hold an expired Vault Professional certification: You are eligible to recertify at any time. When you pass the exam again, you will receive a new, separate set of credentials with a new expiration date.
The Consul Associate certification is for site reliability engineers (SREs), solutions architects (SAs), DevOps professionals, or other cloud engineers who know the basic concepts and skills to build, secure, and maintain Consul. You understand what Enterprise features exist and can differentiate between Consul Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Consul in production, but performing the exam objectives in a personal demo environment may be sufficient.
Assessment Type | Multiple choice |
Format | Online proctored |
Duration | 1 hour |
Price | $70.50 USD, plus locally applicable taxes and fees. Free retake not included. |
Language | English |
Expiration | 2 years |
1 | Understand the pillars of service networking |
---|---|
1a | Understand how Consul discovers, tracks, and monitors the health of services |
1b | Explain how Consul secures service to service communication |
1c | Summarize how Consul controls access to services at point of entry |
1d | Discuss how Consul automates networking tasks |
2 | Describe Consul architecture |
---|---|
2a | Identify Consul datacenter components including agents and communication protocols |
2b | Review Consul server high availability & scalability options |
2c | Differentiate between server agents and data plane components (client agents and Consul Dataplane) |
2d | Understand that Consul can run on multiple platforms |
3 | Deploy a single datacenter |
---|---|
3a | Configure, bootstrap, and start Consul server agents |
3b | Configure and start Consul client agents |
3c | Configure and start Consul on Kubernetes |
3d | Explain Consul agent join methods and behavior |
4 | Register services and use service discovery |
---|---|
4a | Interpret a service registration |
4b | Differentiate between service registration methods |
4c | Understand service health check configuration options and behaviors |
4d | Query Consul's service catalog via CLI, API, UI, and/or DNS, and interpret the results |
4e | Interpret & use prepared queries |
5 | Use Consul service mesh |
---|---|
5a | Consider high level architecture & key benefits of Consul service mesh |
5b | Understand Consul service mesh intentions & when to use them |
5c | Apply proxy configuration options within Consul service mesh |
6 | Secure agent communication |
---|---|
6a | Understand Consul security/threat model |
6b | Differentiate certificate types needed for TLS encryption |
6c | Interpret TLS encryption settings & intended use |
6d | Configure gossip encryption |
7 | Secure services with basic access control lists (ACLs) |
---|---|
7a | Understand Consul ACL system components and usage |
7b | Create and configure ACL policies and tokens |
7c | Use ACL tokens to communicate securely with Consul services and agents |
8 | Secure and connect service mesh applications |
---|---|
8a | Use Consul gateways to securely connect and access services into, out of, and within the service mesh |
8b | Understand how to enable communication between multiple Consul datacenters |
9 | Monitor Consul |
---|---|
9a | Describe Consul service mesh observability |
9b | Review Consul datacenter observability |
10 | Operate and maintain Consul |
---|---|
10a | Manage Consul servers |
10b | Maintain Consul communications security |
10c | Backup and restore Consul cluster state |
10d | Understand Consul datacenter troubleshooting options |
Visit the exam appointment rules and requirements page.
To renew any Consul Associate certification, you will need to take and pass the new Consul Associate 003 exam.
If you hold an unexpired Consul Associate 002 certification: You can take the new (003) exam starting 18 months after your previous exam date. When you pass the Consul Associate 003 exam to recertify, you will receive a new, separate set of credentials (badge and corresponding certificate) that will reflect your recertification date. The date of your credentials related to your Consul Associate 002 certification will not be updated.
If you hold an unexpired Consul Associate 003 certification: You can take the new exam starting 18 months after your previous exam date. When you pass the new exam, the expiration date on your credentials will be extended.
If you hold any expired Consul Associate certification: You are eligible to recertify at any time. When you pass the new exam, you will receive a new, separate set of credentials with a new expiration date.
We updated the Consul Associate 003 exam to account for how Condul has grown, and to accommodate future growth. The changes are primarily a reorganization and rewording of the 002 exam objectives. More significant changes are listed below.
(002) objectives NOT covered in (003) | |
---|---|
4 | Access the Consul key/value (KV) |
(002) objectives now covered within other objectives in (003) | |
---|---|
1 | Explain Consul Architecture |
2 | Deploy a single datacenter |
7 | Secure agent communication |
9 | Use gossip encryption |
NEW objectives in (003) | |
---|---|
1c | Summarize how Consul controls access to services at point of entry |
1d | Discuss how Consul automates networking tasks |
2d | Understand that Consul can run on multiple platforms |
3c | Configure and start Consul on Kubernetes |
8 | Secure and connect service mesh applications at scale |
9 | Monitor Consul |
Sign up to be notified with updates to the HashiCorp Product Certifications program and to receive news and information about HashiCorp products.