All news with #aws private ca tag

Transfer Data Across AWS Partitions with Roles Anywhere

🔐 AWS outlines replacing cross-partition IAM user keys with IAM Roles Anywhere to securely transfer data between AWS partitions. The post explains partition isolation (Commercial, GovCloud, China), why long-lived access keys are discouraged, and how IAM Roles Anywhere uses X.509 certificates and temporary credentials. It also covers using an external CA or AWS Private CA to issue and manage certificates for workloads.

Updating CRLs Privately with AWS Private CA and VPC Delivery

🔒 This AWS Security post explains two approaches to make certificate revocation lists (CRLs) available only to internal systems without exposing the S3 CRL bucket to the public internet. The first approach relocates CRLs by using a custom CDP CNAME and an EventBridge‑triggered Lambda that copies generated CRLs from the ACM Private CA S3 bucket to an internal store, with SNS notifications and example Python code. The second approach confines CRL retrieval inside AWS by using a VPC Gateway S3 endpoint, tightly scoped S3 bucket policies, and private Route 53 DNS so CRLs are resolvable and retrievable only from within the VPC.

AWS Adds ML-DSA Post-Quantum Code Signing to Private CA

🔐 AWS announced support for post-quantum ML-DSA code signing in AWS Private CA, integrated with AWS KMS. The integration lets customers create ML-DSA X.509 certificate chains and generate KMS-held ML-DSA key pairs to sign binaries, enabling quantum-resistant code-signing, device authentication, and private-PKI workflows such as mTLS or IKEv2/IPsec. A provided Java Runner demonstrates CA creation, CSR issuance, CMS detached signing with SHAKE256, and signature verification against customer-managed roots.

AWS Private CA Adds ML-DSA Post-Quantum Certificates

🔐 AWS Private CA now supports the post-quantum digital signature algorithm ML-DSA (NIST FIPS 204), enabling organizations to create CAs and issue certificates designed to resist quantum attacks. The feature lets you test certificate issuance, identity verification, and code signing using ML-DSA, and supports CRLs and OCSP responders. Availability spans all commercial AWS Regions, AWS GovCloud (US), and China Regions to help teams begin transitioning PKI toward post-quantum cryptography.

AWS Managed Microsoft AD Adds LDAPS and Smart Card CA

🔐 AWS Managed Microsoft AD now supports certificate auto-enrollment for LDAPS and Smart Card authentication by integrating with AWS Private CA through the AWS Private CA Connector for AD. The integration automates issuance, renewal, and lifecycle management of domain controller certificates, removing the need to maintain CA infrastructure on Amazon EC2. This capability is available in all Regions offering the connector and can be configured via the console or API.