< ciso
brief />
Tag Banner

All news with #certificate management tag

29 articles

AWS Certificate Manager adds managed ACME endpoints

🛡️ AWS Certificate Manager (ACM) now offers a fully managed ACME server endpoint that issues public TLS certificates with 45-day validity from Amazon Trust Services, compatible with any ACMEv2 client such as Certbot, cert-manager, and acme.sh. PKI teams can create managed ACME endpoints with domain scopes, wildcard controls, and delegated issuance without sharing DNS credentials. Domain validation is performed once at the endpoint level, and issuance and renewal activities are auditable via the ACM console, AWS CloudTrail, and Amazon CloudWatch. ACME support is available in all commercial AWS Regions; see ACM pricing and documentation for details.
read more →

Governing the growing ghost workforce risk

🛡️ Enterprises are facing an invisible workforce: non-human identities (bots, service accounts, API keys, tokens, certificates) that now often outnumber humans. These ghost identities authenticate constantly across environments and, when unmanaged, accumulate privileges and risks. The industry has seen incidents where forgotten or third-party machine identities enabled widespread breaches, and a looming 2026 certificate-expiration wave threatens cascading outages. Organisations must prioritise governance—discovering NHIs, assigning ownership, auditing privileges, and addressing imminent certificate expirations—before tool selection.
read more →

AWS launches Workload Credentials Provider for certs

🔒 AWS announced the AWS Workload Credentials Provider, a lightweight client-side tool that automates export and deployment of certificates from AWS Certificate Manager and local caching of secrets from AWS Secrets Manager. It removes the need for custom EventBridge-based automation for certificate renewals, supports Windows and Linux, and works with Apache and NGINX. The provider is open source and compatible with Secrets Manager Agent functionality.
read more →

CloudFront Adds OCSP Revocation Checking for mTLS Support

🔐 Amazon CloudFront now supports Online Certificate Status Protocol (OCSP) for viewer mutual TLS (mTLS), allowing real-time validation of client certificate revocation during connection establishment. Previously, revocation was handled via CloudFront Functions and KeyValueStore with static lists. CloudFront now queries the OCSP responder embedded in certificates and caches responses up to 30 minutes. The OCSP result is exposed to connection functions for custom logic.
read more →

Amazon CloudFront Adds mTLS Passthrough Mode for Origins

🔐Amazon CloudFront now supports passthrough mode for viewer mutual TLS (mTLS), enabling customers to forward client certificate chains directly to their origin for validation instead of requiring CloudFront to perform certificate verification. In passthrough mode CloudFront forwards every request and the full client certificate chain to the origin and does not cache responses, ensuring end-to-end authentication is enforced by the origin. Connection functions remain available so you can inspect or transform connection-level data before it reaches your origin. CloudFront mutual TLS (viewer) passthrough is available at no additional cost.
read more →

Amazon CloudFront Supports OCSP Revocation for mTLS

🔐 Amazon CloudFront now supports OCSP revocation checking for viewer mTLS, allowing real‑time validation of client certificate revocation during connection establishment. Previously, customers relied on static revocation lists implemented with CloudFront Functions and KeyValueStore. CloudFront queries the responder URL in the certificate, caches OCSP responses for up to 30 minutes, and exposes the OCSP result in the connection function so customers can apply custom logic such as grace periods, IP exceptions, or combined revocation strategies. This feature is available at no additional cost.
read more →

AWS IoT Core Adds Custom Domains for GovCloud (US)

🔒 AWS announced that AWS IoT Core now supports customer managed domains in the AWS GovCloud (US) Regions. Customer managed domains let you configure custom domain names, use server certificates stored in AWS Certificate Manager, attach custom authorizers, and create multiple data endpoints. This provides stable TLS behavior and simplifies migration of existing devices without changing device credentials or CA certificates.
read more →

AWS Certificate Manager adds console certificate search

🔍 AWS Certificate Manager (ACM) now provides a console search bar and a new SearchCertificates API to locate certificates by domain name, certificate ARN, or validity range. Administrators managing large certificate inventories can combine parameters to quickly find certificates that are expiring soon or match specific criteria. The capability supports both ad hoc console queries and scripted automation via the API. This feature is available in Public AWS, AWS China, and AWS GovCloud regions.
read more →

AWS Private CA Now Publishes CloudWatch Utilization Metrics

🔔 AWS announced that AWS Private Certificate Authority (AWS Private CA) now publishes CA utilization metrics to Amazon CloudWatch, providing visibility into certificate issuance counts and the number of CAs per Region. The metrics track certificates issued by each CA and total CAs in a Region, enabling CloudWatch alarms and automation to replace or transition CAs approaching quota limits. This capability helps prevent quota-related service disruptions for services such as Amazon EKS, Amazon ECS Service Connect, and Amazon WorkSpaces.
read more →

Cryptographic Reset: Operational Shifts in Trust Now

🔐 The cryptographic foundation of the internet is undergoing a rapid operational reset driven by shorter certificate lifecycles and the transition to quantum-resistant algorithms. The CA/Browser Forum reduced public TLS validity to 200 days on March 15, 2026, with further reductions planned to 100 days in 2027 and 47 days by 2029, dramatically increasing renewal velocity. Manual certificate processes and spreadsheets will not scale; organizations need network-native discovery, continuous certificate visibility, and fully automated lifecycle management. Palo Alto Networks' Next-Generation Trust Security brings certificate lifecycle controls into the network to automate discovery, renewal, deployment and governance.
read more →

AWS Private CA SCEP Connector Adds AWS PrivateLink

🔒 AWS Private CA Connector for SCEP now supports AWS PrivateLink, enabling clients within an Amazon VPC to request certificates without traversing the public internet. The managed AWS Private CA Connector for SCEP uses SCEP to automate certificate enrollment and renewal for mobile, network, and IoT devices. PrivateLink removes the need for internet gateways, NAT devices, or VPNs while keeping traffic on the AWS network.
read more →

Cloudflare Radar: origin PQ, Key Transparency, ASPA

🔐 Cloudflare Radar is adding three security-focused datasets and tools: origin-facing post-quantum (PQ) monitoring, a Key Transparency dashboard for E2EE messaging logs, and enhanced RPKI ASPA adoption tracking. The origin feature reports support for X25519MLKEM768 using an automated TLS scanner and provides an on-demand hostname tester that performs real TLS handshakes via Cloudflare Containers. Key Transparency publishes auditor verification status and APIs for independent proof checks, while routing pages gain global, country, and per-AS ASPA views together with API access for integrations.
read more →

ASPA Deployment and Roadmap for More Secure Routing

🔒 ASPA (Autonomous System Provider Authorization) introduces cryptographic path validation to reduce route leaks by allowing networks to publish signed lists of authorized upstream providers in RPKI. Unlike ROAs, which verify prefix origins, ASPA validates the AS_PATH and detects routing "valleys" that indicate leaks. Cloudflare Radar now tracks ASPA adoption across RIRs and provides per‑AS visibility so operators can see whether observed upstreams are ASPA‑authorized and monitor changes over time.
read more →

AWS Certificate Manager shortens public certificate validity

🔒 AWS Certificate Manager (ACM) now issues public certificates with a 198-day maximum validity, replacing the prior 395-day default to comply with the CA/Browser Forum’s 200-day mandate effective 15 March 2026. No customer action is required: new and renewed public certificates default to 198 days while existing longer-lived certificates remain valid until renewal or expiry. ACM continues to auto-renew certificates (now 45 days before expiry); existing longer-term certificates will renew 60 days before expiry and convert to the 198-day term. AWS also reduced prices for exportable public certificates to reflect the shorter validity.
read more →

Amazon MQ Adds mTLS Certificate Authentication for RabbitMQ

🔐 Amazon MQ now supports certificate-based authentication for RabbitMQ brokers using mutual TLS (mTLS). The new capability lets brokers running RabbitMQ 4.2 and later use the auth_mechanism_ssl plugin, configured via the broker's configuration file. To enable it, create a new RabbitMQ 4.2 broker (M7g instance type) and update the configuration; the feature is available in all regions where Amazon MQ RabbitMQ 4 instances are offered.
read more →

Logitech Options+ and G HUB Fail on macOS After Cert Expiry

⚠️Logitech's Options+ and G HUB apps on macOS stopped launching after their code-signing certificate expired, preventing users from accessing custom gestures, button mappings, lighting presets, and other saved settings. Logitech acknowledged the outage on its support portal and said it will push a new macOS installer that preserves user profiles without changing the visible app version. Community-proposed workarounds include rolling the system date back, installing older builds, or blocking network access, but these are unverified and may have trade-offs. Until an official update is released, users are advised not to delete configuration files to avoid losing customizations.
read more →

AWS Private CA Adds OCSP in China and GovCloud Regions

🔒 AWS Private CA now supports OCSP in China (Beijing, Ningxia) and AWS GovCloud (US-East, US-West) Regions. The managed OCSP responder enables real-time, per-certificate revocation checks that typically use only a few hundred bytes per query instead of downloading large Certificate Revocation Lists (CRLs), reducing bandwidth and latency. Enable OCSP through the console, AWS CLI, or API; the responder is highly available and fully managed, removing the need to operate OCSP servers, and pricing details are available in the service documentation.
read more →

ACM automates certificate lifecycle for Kubernetes workloads

🔐 AWS Certificate Manager (ACM) now automates provisioning and distribution of exportable public and private certificates directly to Kubernetes workloads via AWS Controllers for Kubernetes (ACK). The ACK controller handles the complete lifecycle — certificate request, validation, export, Kubernetes Secret creation, and automatic renewal updates. This removes the need to export certificates and rotate Secrets manually for pods, service meshes, and third-party ingress controllers. The feature supports Amazon EKS and hybrid or edge Kubernetes environments and is available in commercial, GovCloud (US), and China regions where ACM is offered.
read more →

HTTPS Certificate Industry Phases Out Weak Domain Checks

🔒 The Chrome Root Program and the CA/Browser Forum have adopted new requirements (Ballots SC-080, SC-090, and SC-091) to phase out 11 legacy Domain Control Validation methods. These deprecated checks — including email, fax, SMS, postal mail, phone-based contacts, and reverse lookup methods — are being retired to reduce the risk of fraudulent certificate issuance. The policies update the TLS Baseline Requirements and encourage stronger, automated, cryptographically verifiable methods such as ACME, with full security value realized by March 2028 while operators transition.
read more →

Johnson Controls iSTAR TLS Certificate Expiration Issue

🔒 Johnson Controls reported an improper validation of certificate expiration in iSTAR access control panels that can prevent devices from re-establishing communication when the default certificate expires. The flaw, tracked as CVE-2025-61736, carries a CVSS v4 base score of 7.1 and a CVSS v3.1 score of 6.5. Affected units are those running versions prior to TLS 1.2. Recommended mitigations include deploying host-based certificates, migrating clusters to TLS 1.3 (requires firmware/C•CURE updates), or upgrading legacy panels to G2 hardware.
read more →