AWS Security ChangesHomeSearch

AWS privateca documentation change

Service: privateca · 2025-06-25 · Documentation medium

File: privateca/latest/userguide/crl-planning.md

Summary

Added documentation for IPv6 support in CRLs via S3 dualstack endpoints

Security assessment

Introduces IPv6 support for CRL distribution, enhancing network security options but not addressing a specific vulnerability.

Diff

diff --git a/privateca/latest/userguide/crl-planning.md b/privateca/latest/userguide/crl-planning.md
index 2c87d0a6e..8f571dd08 100644
--- a//privateca/latest/userguide/crl-planning.md
+++ b//privateca/latest/userguide/crl-planning.md
@@ -25 +25 @@ For information about using Online Certificate Status Protocol (OCSP) as an alte
-
+  * 
@@ -240,0 +241,11 @@ If you have configured your CA with a custom CNAME, the CDP URI will include the
+## 
+
+By default, AWS Private CA writes CDP extensions using regional, IPv4-only `amazonaws.com` endpoints. To use CRLs over IPv6, do one of the following steps so that CDPs are written with URLs that point to [S3's dualstack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/API/dual-stack-endpoints.html): 
+
+  * Set your [CRL custom name ](./create-CA.html#PcaCreateRevocation) to the S3 dualstack endpoint domain. For example, ``bucketname`.s3.dualstack.`region-code`.amazonaws.com`
+
+  * Set up your own CNAME DNS record pointing at the relevant S3 dualstack endpoint, then use it as your CRL custom name
+
+
+
+