A security team is hardening a Consul datacenter and must ensure that no client certificate can be used to impersonate a server. Beyond setting verify_server_hostname = true, which additional TLS configuration must be set so that clients verify the server certificate against the cluster CA?
ca_file must point to the CA certificate and verify_outgoing = trueencrypt needs to be set for full TLS securityauto_encrypt.allow_tls = true is sufficient on its ownverify_incoming = true must be set on all client agentsMore Secure agent communication Questions
24 questions
Full HashiCorp Certified: Consul Associate (003) Practice Test
All topics covered
All HashiCorp Certified: Consul Associate (003) Questions
Browse by topic
Related Questions
Which Consul CLI command generates a new gossip encryption key that can be used in the agent configu...
A Consul cluster is configured with gossip encryption. A new agent is being added to the datacenter....
A Consul operator configures TLS with `verify_server_hostname = true` in the agent configuration. Wh...
An operator wants to rotate the gossip encryption key in a running Consul datacenter without causing...
A security engineer discovers that a Consul agent is communicating with the rest of the cluster usin...
Educational Content — CertQnA practice questions are written against official exam objectives, covering the same domains tested on the real exam. All content is original and independent — not actual exam questions, not affiliated with any certification vendor. Learn more about our content policy
Discussion
Be the first to share your understanding of this concept
Sign in to join the discussion