AWS Security ChangesHomeSearch

AWS privateca documentation change

Service: privateca · 2025-06-25 · Documentation medium

File: privateca/latest/userguide/ocsp-customize.md

Summary

Added IPv6 support documentation for OCSP responder configuration

Security assessment

Documents IPv6 connectivity for OCSP, improving security feature coverage but not resolving a specific security issue.

Diff

diff --git a/privateca/latest/userguide/ocsp-customize.md b/privateca/latest/userguide/ocsp-customize.md
index 27dba69f1..bca44a46b 100644
--- a//privateca/latest/userguide/ocsp-customize.md
+++ b//privateca/latest/userguide/ocsp-customize.md
@@ -4,0 +5,2 @@
+Using OCSP over IPv6
+
@@ -69 +71,3 @@ This example can be implemented using [Amazon CloudFront](https://docs.aws.amazo
-     * Set ocsp.acm-pca.`<region>`.amazonaws.com as the origin.
+     * Set `ocsp.acm-pca.`<region>`.amazonaws.com` as the origin.
+
+       * To use IPv6 connections, use the dualstack endpoint `acm-pca-ocsp.`<region>`.api.aws`
@@ -81,0 +86,11 @@ This example can be implemented using [Amazon CloudFront](https://docs.aws.amazo
+## Using OCSP over IPv6
+
+The default AWS Private CA OCSP responder URL is IPv4-only. To use OCSP over IPv6, configure a custom OCSP URL for your CA. The URL can be either: 
+
+  * The FQDN of the dualstack PCA OCSP responder, which takes the form `acm-pca-ocsp.`region-name`.api.aws`
+
+  * A CNAME record that you have configured to point at the dualstack OCSP responder, as explained above.
+
+
+
+