AWS privateca medium security documentation change
Summary
Added note that short-lived certificates must be the last CA in the hierarchy and require weekly renewal
Security assessment
This change enforces security best practices by preventing insecure CA hierarchies and mandating frequent rotation, which reduces the risk of long-lived certificate misuse. The explicit requirement for hierarchy position directly impacts security posture.
Diff
diff --git a/privateca/latest/userguide/short-lived-certificates.md b/privateca/latest/userguide/short-lived-certificates.md index c1aee5e5a..e576b2ef2 100644 --- a//privateca/latest/userguide/short-lived-certificates.md +++ b//privateca/latest/userguide/short-lived-certificates.md @@ -22,0 +23,2 @@ This mode defines a CA that exclusively issues certificates with a maximum valid +Short-lived certificates must be the last CA in the certificate hierarchy. There is significant overhead because the private CA must be renewed every seven days. +