AWS acm documentation change
Summary
Updated certificate reimport rules to clarify that KeyUsage/ExtendedKeyUsage extensions cannot be removed during renewal, with exceptions for Client Authentication EKU removal and keyEncipherment removal from ECDSA certificates.
Security assessment
This change documents certificate validation rules and exceptions for reimporting certificates. It clarifies security constraints around certificate extensions but doesn't indicate a specific security vulnerability being addressed. The changes appear to be documentation improvements to reflect industry standards (Chrome requirements and RFC 5480 compliance).
Diff
diff --git a/acm/latest/userguide/import-certificate-prerequisites.md b/acm/latest/userguide/import-certificate-prerequisites.md index 1818dde96..0670e2842 100644 --- a//acm/latest/userguide/import-certificate-prerequisites.md +++ b//acm/latest/userguide/import-certificate-prerequisites.md @@ -42 +42 @@ Note also the following additional requirements: - * When you renew (reimport) a certificate, you cannot add a `KeyUsage` or `ExtendedKeyUsage` extension if the extension was not present in the previously imported certificate + * When you renew (reimport) a certificate, you cannot remove a `KeyUsage` or `ExtendedKeyUsage` extension that was present in the previously imported certificate. @@ -44 +44,5 @@ Note also the following additional requirements: -**Exception:** You can reimport a certificate missing the Client Authentication ExtendedKeyUsage when compared to the previous certificate. This accommodates industry changes where certificate authorities no longer issue certificates with ClientAuth EKU to comply with Chrome's root program requirements. +The following exceptions apply: + + * You can reimport a certificate missing the Client Authentication ExtendedKeyUsage when compared to the previous certificate. This accommodates industry changes where certificate authorities no longer issue certificates with ClientAuth EKU to comply with Chrome's root program requirements. + + * You can remove the `keyEncipherment` Key Usage from ECDSA certificates. This accommodates [RFC 5480 Section 3](https://www.rfc-editor.org/rfc/rfc5480#section-3), which does not include `keyEncipherment` as a permitted Key Usage for ECDSA keys.