< ciso
brief />
Tag Banner

All news with #certificate management tag

29 articles · page 2 of 2

CISOs Preparing for Shorter TLS Certificate Lifespans

🔐 Shorter maximum TLS certificate lifespans are imminent: starting 15 March 2026 the limit drops from 398 days to 200 days, then to 100 days a year later and eventually to 47 days by 2029. CISOs should prioritize complete, continuously updated certificate inventories and move to automated issuance and renewal — ideally via ACME — to avoid outages. Centralized governance, percentage-based renewal policies, and integrated alerts tied to ticketing systems reduce human error and operational risk.
read more →

AWS Private CA Adds Partitioned CRLs for Scale, Compliance

🔒 AWS Private Certificate Authority now supports partitioned Certificate Revocation Lists (CRLs) to scale revocation handling up to 100 million certificates per CA. Partitioning breaks revocation data into ~1 MB CRL partitions and binds certificates to partitions using a critical Issuer Distribution Point (IDP) extension, allowing validators to match CDP and IDP URIs for accurate checks. The feature is backward compatible, RFC5280-compliant, configurable in the console (including S3 setup), and carries no charge beyond AWS Private CA and Amazon S3 usage.
read more →

Updating CRLs Privately with AWS Private CA and VPC Delivery

🔒 This AWS Security post explains two approaches to make certificate revocation lists (CRLs) available only to internal systems without exposing the S3 CRL bucket to the public internet. The first approach relocates CRLs by using a custom CDP CNAME and an EventBridge‑triggered Lambda that copies generated CRLs from the ACM Private CA S3 bucket to an internal store, with SNS notifications and example Python code. The second approach confines CRL retrieval inside AWS by using a VPC Gateway S3 endpoint, tightly scoped S3 bucket policies, and private Route 53 DNS so CRLs are resolvable and retrievable only from within the VPC.
read more →

AWS Private CA Adds ML-DSA Post-Quantum Certificates

🔐 AWS Private CA now supports the post-quantum digital signature algorithm ML-DSA (NIST FIPS 204), enabling organizations to create CAs and issue certificates designed to resist quantum attacks. The feature lets you test certificate issuance, identity verification, and code signing using ML-DSA, and supports CRLs and OCSP responders. Availability spans all commercial AWS Regions, AWS GovCloud (US), and China Regions to help teams begin transitioning PKI toward post-quantum cryptography.
read more →

Microsoft October 2025 Patch Causes Enterprise Failures

🚨 The October 2025 Windows security update KB5066835, intended to move cryptography from CSP to KSP, is causing widespread enterprise disruption. Affected platforms — including Windows 10 (22H2), Windows 11 (23H2–25H2) and several Windows Server releases — report smartcard and certificate failures, USB mouse/keyboard loss in WinRE, IIS ERR_CONNECTION_RESET and WUSA installation errors. Microsoft published a registry workaround (DisableCapiOverrideForRSA=0) and an out‑of‑band update (KB5070773) for some issues, but urges caution and recommends thorough testing before broad deployment.
read more →

Configure and Verify ACM Certificates with Trust Stores

🔐 This post explains how to configure customer trust stores to accept public certificates issued through AWS Certificate Manager (ACM) and clarifies the role of Amazon Trust Services. It warns that ACM issues certificates via dynamically selected intermediates, so trusting only intermediates or pinning end-entity certificates can cause outages. The recommended action is to install five Amazon root CAs in your trust stores and to validate configuration across Windows, Amazon Linux, and Java environments.
read more →

AWS Managed Microsoft AD Adds LDAPS and Smart Card CA

🔐 AWS Managed Microsoft AD now supports certificate auto-enrollment for LDAPS and Smart Card authentication by integrating with AWS Private CA through the AWS Private CA Connector for AD. The integration automates issuance, renewal, and lifecycle management of domain controller certificates, removing the need to maintain CA infrastructure on Amazon EC2. This capability is available in all Regions offering the connector and can be configured via the console or API.
read more →

Unauthorized TLS Certificates Issued for 1.1.1.1 by Fina CA

🔒 Cloudflare reported that Fina CA issued twelve unauthorized TLS certificates for the public DNS IP 1.1.1.1 between February 2024 and August 2025. All certificates have been revoked and Cloudflare found no evidence they were used maliciously, noting that successful impersonation would also require client trust in Fina and interception of traffic. The misissuance was detected via Certificate Transparency logs, and Cloudflare is improving alerts, monitoring, and triage to prevent similar lapses.
read more →

AWS Certificate Manager Adds PrivateLink Access for ACM

🔒 AWS Certificate Manager (ACM) now supports AWS PrivateLink, enabling access to ACM APIs from within an Amazon VPC without traversing the public internet. You can create interface endpoints to connect your VPC to ACM using the AWS Management Console, AWS CLI, or AWS CloudFormation. This private connectivity is available in all Regions where ACM and PrivateLink are supported, including AWS GovCloud (US) and China Regions, and helps meet compliance requirements by keeping API traffic inside the AWS network.
read more →