All news with #certificate management tag

🔐 Amazon CloudFront now supports Online Certificate Status Protocol (OCSP) for viewer mutual TLS (mTLS), allowing real-time validation of client certificate revocation during connection establishment. Previously, revocation was handled via CloudFront Functions and KeyValueStore with static lists. CloudFront now queries the OCSP responder embedded in certificates and caches responses up to 30 minutes. The OCSP result is exposed to connection functions for custom logic.

🔐Amazon CloudFront now supports passthrough mode for viewer mutual TLS (mTLS), enabling customers to forward client certificate chains directly to their origin for validation instead of requiring CloudFront to perform certificate verification. In passthrough mode CloudFront forwards every request and the full client certificate chain to the origin and does not cache responses, ensuring end-to-end authentication is enforced by the origin. Connection functions remain available so you can inspect or transform connection-level data before it reaches your origin. CloudFront mutual TLS (viewer) passthrough is available at no additional cost.

🔐 Amazon CloudFront now supports OCSP revocation checking for viewer mTLS, allowing real‑time validation of client certificate revocation during connection establishment. Previously, customers relied on static revocation lists implemented with CloudFront Functions and KeyValueStore. CloudFront queries the responder URL in the certificate, caches OCSP responses for up to 30 minutes, and exposes the OCSP result in the connection function so customers can apply custom logic such as grace periods, IP exceptions, or combined revocation strategies. This feature is available at no additional cost.

🔒 AWS announced that AWS IoT Core now supports customer managed domains in the AWS GovCloud (US) Regions. Customer managed domains let you configure custom domain names, use server certificates stored in AWS Certificate Manager, attach custom authorizers, and create multiple data endpoints. This provides stable TLS behavior and simplifies migration of existing devices without changing device credentials or CA certificates.

🔍 AWS Certificate Manager (ACM) now provides a console search bar and a new SearchCertificates API to locate certificates by domain name, certificate ARN, or validity range. Administrators managing large certificate inventories can combine parameters to quickly find certificates that are expiring soon or match specific criteria. The capability supports both ad hoc console queries and scripted automation via the API. This feature is available in Public AWS, AWS China, and AWS GovCloud regions.

🔔 AWS announced that AWS Private Certificate Authority (AWS Private CA) now publishes CA utilization metrics to Amazon CloudWatch, providing visibility into certificate issuance counts and the number of CAs per Region. The metrics track certificates issued by each CA and total CAs in a Region, enabling CloudWatch alarms and automation to replace or transition CAs approaching quota limits. This capability helps prevent quota-related service disruptions for services such as Amazon EKS, Amazon ECS Service Connect, and Amazon WorkSpaces.

🔐 The cryptographic foundation of the internet is undergoing a rapid operational reset driven by shorter certificate lifecycles and the transition to quantum-resistant algorithms. The CA/Browser Forum reduced public TLS validity to 200 days on March 15, 2026, with further reductions planned to 100 days in 2027 and 47 days by 2029, dramatically increasing renewal velocity. Manual certificate processes and spreadsheets will not scale; organizations need network-native discovery, continuous certificate visibility, and fully automated lifecycle management. Palo Alto Networks' Next-Generation Trust Security brings certificate lifecycle controls into the network to automate discovery, renewal, deployment and governance.

🔒 AWS Private CA Connector for SCEP now supports AWS PrivateLink, enabling clients within an Amazon VPC to request certificates without traversing the public internet. The managed AWS Private CA Connector for SCEP uses SCEP to automate certificate enrollment and renewal for mobile, network, and IoT devices. PrivateLink removes the need for internet gateways, NAT devices, or VPNs while keeping traffic on the AWS network.

🔐 Cloudflare Radar is adding three security-focused datasets and tools: origin-facing post-quantum (PQ) monitoring, a Key Transparency dashboard for E2EE messaging logs, and enhanced RPKI ASPA adoption tracking. The origin feature reports support for X25519MLKEM768 using an automated TLS scanner and provides an on-demand hostname tester that performs real TLS handshakes via Cloudflare Containers. Key Transparency publishes auditor verification status and APIs for independent proof checks, while routing pages gain global, country, and per-AS ASPA views together with API access for integrations.

🔒 ASPA (Autonomous System Provider Authorization) introduces cryptographic path validation to reduce route leaks by allowing networks to publish signed lists of authorized upstream providers in RPKI. Unlike ROAs, which verify prefix origins, ASPA validates the AS_PATH and detects routing "valleys" that indicate leaks. Cloudflare Radar now tracks ASPA adoption across RIRs and provides per‑AS visibility so operators can see whether observed upstreams are ASPA‑authorized and monitor changes over time.

🔒 AWS Certificate Manager (ACM) now issues public certificates with a 198-day maximum validity, replacing the prior 395-day default to comply with the CA/Browser Forum’s 200-day mandate effective 15 March 2026. No customer action is required: new and renewed public certificates default to 198 days while existing longer-lived certificates remain valid until renewal or expiry. ACM continues to auto-renew certificates (now 45 days before expiry); existing longer-term certificates will renew 60 days before expiry and convert to the 198-day term. AWS also reduced prices for exportable public certificates to reflect the shorter validity.

🔐 Amazon MQ now supports certificate-based authentication for RabbitMQ brokers using mutual TLS (mTLS). The new capability lets brokers running RabbitMQ 4.2 and later use the auth_mechanism_ssl plugin, configured via the broker's configuration file. To enable it, create a new RabbitMQ 4.2 broker (M7g instance type) and update the configuration; the feature is available in all regions where Amazon MQ RabbitMQ 4 instances are offered.

⚠️Logitech's Options+ and G HUB apps on macOS stopped launching after their code-signing certificate expired, preventing users from accessing custom gestures, button mappings, lighting presets, and other saved settings. Logitech acknowledged the outage on its support portal and said it will push a new macOS installer that preserves user profiles without changing the visible app version. Community-proposed workarounds include rolling the system date back, installing older builds, or blocking network access, but these are unverified and may have trade-offs. Until an official update is released, users are advised not to delete configuration files to avoid losing customizations.

🔒 AWS Private CA now supports OCSP in China (Beijing, Ningxia) and AWS GovCloud (US-East, US-West) Regions. The managed OCSP responder enables real-time, per-certificate revocation checks that typically use only a few hundred bytes per query instead of downloading large Certificate Revocation Lists (CRLs), reducing bandwidth and latency. Enable OCSP through the console, AWS CLI, or API; the responder is highly available and fully managed, removing the need to operate OCSP servers, and pricing details are available in the service documentation.

🔐 AWS Certificate Manager (ACM) now automates provisioning and distribution of exportable public and private certificates directly to Kubernetes workloads via AWS Controllers for Kubernetes (ACK). The ACK controller handles the complete lifecycle — certificate request, validation, export, Kubernetes Secret creation, and automatic renewal updates. This removes the need to export certificates and rotate Secrets manually for pods, service meshes, and third-party ingress controllers. The feature supports Amazon EKS and hybrid or edge Kubernetes environments and is available in commercial, GovCloud (US), and China regions where ACM is offered.

🔒 The Chrome Root Program and the CA/Browser Forum have adopted new requirements (Ballots SC-080, SC-090, and SC-091) to phase out 11 legacy Domain Control Validation methods. These deprecated checks — including email, fax, SMS, postal mail, phone-based contacts, and reverse lookup methods — are being retired to reduce the risk of fraudulent certificate issuance. The policies update the TLS Baseline Requirements and encourage stronger, automated, cryptographically verifiable methods such as ACME, with full security value realized by March 2028 while operators transition.

🔒 Johnson Controls reported an improper validation of certificate expiration in iSTAR access control panels that can prevent devices from re-establishing communication when the default certificate expires. The flaw, tracked as CVE-2025-61736, carries a CVSS v4 base score of 7.1 and a CVSS v3.1 score of 6.5. Affected units are those running versions prior to TLS 1.2. Recommended mitigations include deploying host-based certificates, migrating clusters to TLS 1.3 (requires firmware/C•CURE updates), or upgrading legacy panels to G2 hardware.

🔐 Shorter maximum TLS certificate lifespans are imminent: starting 15 March 2026 the limit drops from 398 days to 200 days, then to 100 days a year later and eventually to 47 days by 2029. CISOs should prioritize complete, continuously updated certificate inventories and move to automated issuance and renewal — ideally via ACME — to avoid outages. Centralized governance, percentage-based renewal policies, and integrated alerts tied to ticketing systems reduce human error and operational risk.

🔒 AWS Private Certificate Authority now supports partitioned Certificate Revocation Lists (CRLs) to scale revocation handling up to 100 million certificates per CA. Partitioning breaks revocation data into ~1 MB CRL partitions and binds certificates to partitions using a critical Issuer Distribution Point (IDP) extension, allowing validators to match CDP and IDP URIs for accurate checks. The feature is backward compatible, RFC5280-compliant, configurable in the console (including S3 setup), and carries no charge beyond AWS Private CA and Amazon S3 usage.

🔒 This AWS Security post explains two approaches to make certificate revocation lists (CRLs) available only to internal systems without exposing the S3 CRL bucket to the public internet. The first approach relocates CRLs by using a custom CDP CNAME and an EventBridge‑triggered Lambda that copies generated CRLs from the ACM Private CA S3 bucket to an internal store, with SNS notifications and example Python code. The second approach confines CRL retrieval inside AWS by using a VPC Gateway S3 endpoint, tightly scoped S3 bucket policies, and private Route 53 DNS so CRLs are resolvable and retrievable only from within the VPC.