AWS Security ChangesHomeSearch

AWS privateca medium security documentation change

Service: privateca · 2025-11-13 · Security-related medium

File: privateca/latest/userguide/PcaWelcome.md

Summary

Added ML-DSA algorithms to supported key/signing algorithms and updated signing algorithm descriptions

Security assessment

The addition of ML-DSA (post-quantum cryptographic algorithms) directly enhances security documentation by introducing quantum-resistant options, addressing future cryptographic threats.

Diff

diff --git a/privateca/latest/userguide/PcaWelcome.md b/privateca/latest/userguide/PcaWelcome.md
index e8d90b4e8..d59ed64d9 100644
--- a//privateca/latest/userguide/PcaWelcome.md
+++ b//privateca/latest/userguide/PcaWelcome.md
@@ -67 +67 @@ Supported algorithm Private key algorithms | Signing algorithms
-RSA_2048  RSA_3072  RSA_4096 EC_prime256v1 EC_secp384r1 EC_secp521r1 SM2 (China Regions only) | SHA256WITHECDSASHA384WITHECDSASHA512WITHECDSASHA256WITHRSASHA384WITHRSASHA512WITHRSASM3WITHSM2  
+ML_DSA_44 ML_DSA_65 ML_DSA_87 RSA_2048  RSA_3072  RSA_4096 EC_prime256v1 EC_secp384r1 EC_secp521r1 SM2 (China Regions only) | ML_DSA_44ML_DSA_65ML_DSA_87 SHA256WITHRSASHA384WITHRSASHA512WITHRSASHA256WITHECDSA SHA384WITHECDSASHA512WITHECDSASM3WITHSM2  
@@ -73 +73,3 @@ This list applies only to certificates issued directly by AWS Private CA through
-In all cases, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's private key.
+For RSA or ECDSA, the specified signing algorithm family must match the key algorithm family of the CA's private key.
+
+For ML-DSA, the hash function is defined as part of the algorithm itself. There is no option to select a different hash function with ML-DSA. To maintain backward compatibility with the APIs, the same value is used for key algorithm and signing algorithm.