Which module helps Vault orchestrate certificate issuance?

The correct answer is the PKI (Public Key Infrastructure) module, as it is specifically designed to manage and orchestrate the issuance of certificates within HashiCorp Vault. The PKI engine allows users to generate, sign, and manage digital certificates, making it essential for applications that require secure and authenticated communication.

When a user requests a certificate, the PKI module processes the request, checks permissions, and generates a certificate signed by a trusted root certificate. This is vital for establishing secure connections in various use cases, such as securing web services using HTTPS or establishing trust in a network through mutual TLS.

The focus of the PKI module on certificate management distinguishes it from the other modules. Token Management, for instance, deals with the creation and revocation of access tokens, while Access Control Lists (ACLs) govern permissions and access to secrets. The Data Encryption module focuses on encrypting and decrypting data rather than managing certificates. Thus, the PKI module is the appropriate choice for certificate issuance orchestration.