AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-02-19 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/origin-certificate-management-certificate-manager.md

Summary

Updated terminology from 'mutual TLS (origin)' to 'origin mTLS' or 'origin mutual TLS' throughout the document for consistency and clarity. Added expanded term for mTLS where appropriate.

Security assessment

Changes are purely terminological updates without introducing new security concepts, addressing vulnerabilities, or modifying security requirements. The core security mechanisms (certificate requirements, EKU specifications, and management responsibilities) remain unchanged.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/origin-certificate-management-certificate-manager.md b/AmazonCloudFront/latest/DeveloperGuide/origin-certificate-management-certificate-manager.md
index 7430ace4e..033cc835d 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/origin-certificate-management-certificate-manager.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/origin-certificate-management-certificate-manager.md
@@ -9 +9 @@ Certificate Authority supportCertificate requirements and specifications
-[AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/) stores the client certificates that CloudFront presents to your origin servers during mutual TLS (origin) authentication.
+[AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/) stores the client certificates that CloudFront presents to your origin servers during origin mutual TLS authentication.
@@ -13 +13 @@ Certificate Authority supportCertificate requirements and specifications
-CloudFront Mutual TLS (origin) requires client certificates with Extended Key Usage (EKU) for TLS Client Authentication. Due to this requirement, you must issue certificates from your Certificate Authority and import them into AWS Certificate Manager. ACM's automatic certificate provisioning and renewal features are not available for mutual TLS (origin) client certificates. CloudFront Mutual TLS (origin) supports client certificates from two sources:
+CloudFront origin mTLS requires client certificates with Extended Key Usage (EKU) for TLS Client Authentication. Due to this requirement, you must issue certificates from your Certificate Authority and import them into AWS Certificate Manager. ACM's automatic certificate provisioning and renewal features are not available for origin mTLS client certificates. CloudFront origin mTLS supports client certificates from two sources:
@@ -17 +17 @@ CloudFront Mutual TLS (origin) requires client certificates with Extended Key Us
-  * **Third-party private Certificate Authorities:** You can also issue certificates from your existing private Certificate Authority infrastructure and import them into ACM. This allows you to maintain your current certificate management processes while leveraging CloudFront's mutual TLS (origin) capabilities. Certificates must include TLS Client Authentication in the Extended Key Usage field and must be in PEM format with the certificate, private key, and certificate chain.
+  * **Third-party private Certificate Authorities:** You can also issue certificates from your existing private Certificate Authority infrastructure and import them into ACM. This allows you to maintain your current certificate management processes while leveraging CloudFront's origin mTLS capabilities. Certificates must include TLS Client Authentication in the Extended Key Usage field and must be in PEM format with the certificate, private key, and certificate chain.
@@ -24 +24 @@ CloudFront Mutual TLS (origin) requires client certificates with Extended Key Us
-For both AWS Private CA and third-party CAs, you are responsible for monitoring certificate expiration dates and importing renewed certificates into ACM before expiration. ACM's automatic renewal feature does not apply to imported certificates used for mutual TLS (origin).
+For both AWS Private CA and third-party CAs, you are responsible for monitoring certificate expiration dates and importing renewed certificates into ACM before expiration. ACM's automatic renewal feature does not apply to imported certificates used for origin mTLS.
@@ -78 +78 @@ Your origin servers must present certificates from publicly trusted Certificate
-Before enabling mutual TLS (origin), you must have a client certificate available in ACM.
+Before enabling origin mTLS, you must have a client certificate available in ACM.
@@ -171 +171 @@ Prerequisites:
-After obtaining or importing your client certificate in ACM, you can configure your origin server to require mutual TLS authentication and enable mutual TLS (origin) on your CloudFront distribution. For instructions on enabling mutual TLS (origin) in CloudFront, see the next section "Enable mutual TLS (origin) for CloudFront distributions."
+After obtaining or importing your client certificate in ACM, you can configure your origin server to require mutual TLS authentication and enable origin mTLS on your CloudFront distribution. For instructions on enabling origin mTLS in CloudFront, see the next section "Enable origin mutual TLS for CloudFront distributions."
@@ -179 +179 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Mutual TLS (origin) with CloudFront
+Origin mutual TLS with CloudFront
@@ -181 +181 @@ Mutual TLS (origin) with CloudFront
-Enable mutual TLS(origin) for CloudFront distributions
+Enable origin mutual TLS for CloudFront distributions