All news with #pki tag

🔐 Amazon CloudFront now supports Online Certificate Status Protocol (OCSP) for viewer mutual TLS (mTLS), allowing real-time validation of client certificate revocation during connection establishment. Previously, revocation was handled via CloudFront Functions and KeyValueStore with static lists. CloudFront now queries the OCSP responder embedded in certificates and caches responses up to 30 minutes. The OCSP result is exposed to connection functions for custom logic.

🔐 AWS Payment Cryptography now offers Physical Key Exchange, a PCI PIN and P2PE-compliant option that enables paper-based cryptographic key exchange without customers having to maintain their own secure key-loading infrastructure. Paper key components are shipped to trained AWS key custodians, who perform key ceremonies in AWS-operated secure facilities meeting the required physical and logical controls. Once loaded, keys are available to the managed service for cryptographic operations, helping organizations accelerate migration when partners do not support electronic key exchange.

🔐 The cryptographic foundation of the internet is undergoing a rapid operational reset driven by shorter certificate lifecycles and the transition to quantum-resistant algorithms. The CA/Browser Forum reduced public TLS validity to 200 days on March 15, 2026, with further reductions planned to 100 days in 2027 and 47 days by 2029, dramatically increasing renewal velocity. Manual certificate processes and spreadsheets will not scale; organizations need network-native discovery, continuous certificate visibility, and fully automated lifecycle management. Palo Alto Networks' Next-Generation Trust Security brings certificate lifecycle controls into the network to automate discovery, renewal, deployment and governance.

🔐 Cloudflare Radar is adding three security-focused datasets and tools: origin-facing post-quantum (PQ) monitoring, a Key Transparency dashboard for E2EE messaging logs, and enhanced RPKI ASPA adoption tracking. The origin feature reports support for X25519MLKEM768 using an automated TLS scanner and provides an on-demand hostname tester that performs real TLS handshakes via Cloudflare Containers. Key Transparency publishes auditor verification status and APIs for independent proof checks, while routing pages gain global, country, and per-AS ASPA views together with API access for integrations.

🔒 ASPA (Autonomous System Provider Authorization) introduces cryptographic path validation to reduce route leaks by allowing networks to publish signed lists of authorized upstream providers in RPKI. Unlike ROAs, which verify prefix origins, ASPA validates the AS_PATH and detects routing "valleys" that indicate leaks. Cloudflare Radar now tracks ASPA adoption across RIRs and provides per‑AS visibility so operators can see whether observed upstreams are ASPA‑authorized and monitor changes over time.

🔒 The Chrome Root Program and the CA/Browser Forum have adopted new requirements (Ballots SC-080, SC-090, and SC-091) to phase out 11 legacy Domain Control Validation methods. These deprecated checks — including email, fax, SMS, postal mail, phone-based contacts, and reverse lookup methods — are being retired to reduce the risk of fraudulent certificate issuance. The policies update the TLS Baseline Requirements and encourage stronger, automated, cryptographically verifiable methods such as ACME, with full security value realized by March 2028 while operators transition.

🔒 AWS Private Certificate Authority now supports partitioned Certificate Revocation Lists (CRLs) to scale revocation handling up to 100 million certificates per CA. Partitioning breaks revocation data into ~1 MB CRL partitions and binds certificates to partitions using a critical Issuer Distribution Point (IDP) extension, allowing validators to match CDP and IDP URIs for accurate checks. The feature is backward compatible, RFC5280-compliant, configurable in the console (including S3 setup), and carries no charge beyond AWS Private CA and Amazon S3 usage.

🔐 AWS Private CA now supports the post-quantum digital signature algorithm ML-DSA (NIST FIPS 204), enabling organizations to create CAs and issue certificates designed to resist quantum attacks. The feature lets you test certificate issuance, identity verification, and code signing using ML-DSA, and supports CRLs and OCSP responders. Availability spans all commercial AWS Regions, AWS GovCloud (US), and China Regions to help teams begin transitioning PKI toward post-quantum cryptography.

🔒 Google Cloud has been migrating its infrastructure toward post-quantum cryptography for nearly a decade to mitigate Store Now, Decrypt Later (SNDL) risks. The company has deployed the standards-based ML-KEM (FIPS 203) for key exchange across internal traffic and the Google Cloud networking stack, and introduced ML-KEM capabilities in Cloud KMS (preview) for key generation, encapsulation, and decapsulation. It also added native support for ML-DSA and SLH-DSA in Cloud KMS to protect long-lived digital signatures, and is phasing quantum-safe certificate support into Certificate Authority Service to enable future PQC-ready PKI. Administrators will receive tooling to opt in, audit cryptographic assets, and manage transitions to hybrid or pure PQC deployments as standards mature.

🔐 Cloudflare is collaborating with Chrome to experimentally deploy Merkle Tree Certificates (MTCs) to reduce the number of public keys and large post-quantum signatures transmitted during TLS handshakes. MTCs batch certificates into a Merkle tree with a single signed treehead and per-certificate inclusion proofs, dramatically shrinking handshake size and CPU work. The experiment will roll out to a subset of Cloudflare free customers while Chrome distributes validation landmarks and fallbacks to preserve existing trust.

🔒 Microsoft warns the October 2025 Windows security updates are causing smart card authentication and certificate failures by switching RSA-based smart card certificates to use KSP instead of CSP. Affected systems may report errors such as "invalid provider type specified" or "CryptAcquireCertificatePrivateKey error" and Event ID 624 in the Smart Card Service log. Microsoft provides a manual workaround: set the DisableCapiOverrideForRSA registry value to 0, back up the registry first, then restart. This impacts Windows 10, Windows 11 and Windows Server releases; the company says the key will be removed in April 2026 and urges customers to work with application vendors to resolve compatibility.

🔐 Organizations facing rising phishing and ransomware threats are moving from passwords to PKI-based authentication to close gaps in traditional MFA. Certificates issued by a trusted CA and backed by asymmetric cryptography replace passwords and vulnerable SMS codes, improving both security and usability. Automated lifecycle management and user self-service reduce administrative overhead, while crypto-agility preserves long-term resilience.

🔐 This post explains how to configure customer trust stores to accept public certificates issued through AWS Certificate Manager (ACM) and clarifies the role of Amazon Trust Services. It warns that ACM issues certificates via dynamically selected intermediates, so trusting only intermediates or pinning end-entity certificates can cause outages. The recommended action is to install five Amazon root CAs in your trust stores and to validate configuration across Windows, Amazon Linux, and Java environments.