AWS privateca documentation change
Summary
Added IPv6 support documentation for OCSP responder configuration
Security assessment
Documents IPv6 connectivity for OCSP, improving security feature coverage but not resolving a specific security issue.
Diff
diff --git a/privateca/latest/userguide/ocsp-customize.md b/privateca/latest/userguide/ocsp-customize.md index 27dba69f1..bca44a46b 100644 --- a//privateca/latest/userguide/ocsp-customize.md +++ b//privateca/latest/userguide/ocsp-customize.md @@ -4,0 +5,2 @@ +Using OCSP over IPv6 + @@ -69 +71,3 @@ This example can be implemented using [Amazon CloudFront](https://docs.aws.amazo - * Set ocsp.acm-pca.`<region>`.amazonaws.com as the origin. + * Set `ocsp.acm-pca.`<region>`.amazonaws.com` as the origin. + + * To use IPv6 connections, use the dualstack endpoint `acm-pca-ocsp.`<region>`.api.aws` @@ -81,0 +86,11 @@ This example can be implemented using [Amazon CloudFront](https://docs.aws.amazo +## Using OCSP over IPv6 + +The default AWS Private CA OCSP responder URL is IPv4-only. To use OCSP over IPv6, configure a custom OCSP URL for your CA. The URL can be either: + + * The FQDN of the dualstack PCA OCSP responder, which takes the form `acm-pca-ocsp.`region-name`.api.aws` + + * A CNAME record that you have configured to point at the dualstack OCSP responder, as explained above. + + + +