AWS privateca documentation change
Summary
Added documentation for IPv6 support in CRLs via S3 dualstack endpoints
Security assessment
Introduces IPv6 support for CRL distribution, enhancing network security options but not addressing a specific vulnerability.
Diff
diff --git a/privateca/latest/userguide/crl-planning.md b/privateca/latest/userguide/crl-planning.md index 2c87d0a6e..8f571dd08 100644 --- a//privateca/latest/userguide/crl-planning.md +++ b//privateca/latest/userguide/crl-planning.md @@ -25 +25 @@ For information about using Online Certificate Status Protocol (OCSP) as an alte - + * @@ -240,0 +241,11 @@ If you have configured your CA with a custom CNAME, the CDP URI will include the +## + +By default, AWS Private CA writes CDP extensions using regional, IPv4-only `amazonaws.com` endpoints. To use CRLs over IPv6, do one of the following steps so that CDPs are written with URLs that point to [S3's dualstack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/API/dual-stack-endpoints.html): + + * Set your [CRL custom name ](./create-CA.html#PcaCreateRevocation) to the S3 dualstack endpoint domain. For example, ``bucketname`.s3.dualstack.`region-code`.amazonaws.com` + + * Set up your own CNAME DNS record pointing at the relevant S3 dualstack endpoint, then use it as your CRL custom name + + + +