AWS privateca documentation change
Summary
Expanded 'Rotate the CA private key' section to 'Manage CA keys and certificates' with added subsections on extending CA validity period and rotating CA keys
Security assessment
This change adds security best practices documentation about CA key lifecycle management, including extending validity periods and proper key rotation procedures. While it enhances security documentation, there's no evidence it addresses a specific security issue.
Diff
diff --git a/privateca/latest/userguide/ca-best-practices.md b/privateca/latest/userguide/ca-best-practices.md index 175a6372b..670458b88 100644 --- a//privateca/latest/userguide/ca-best-practices.md +++ b//privateca/latest/userguide/ca-best-practices.md @@ -5 +5 @@ -Documenting CA structure and policiesMinimize use of the root CA if possibleGive the root CA its own AWS accountSeparate administrator and issuer rolesImplement managed revocation of certificatesTurn on AWS CloudTrailRotate the CA private keyDelete unused CAsBlock public access to your CRLsAmazon EKS application best practices +Documenting CA structure and policiesMinimize use of the root CA if possibleGive the root CA its own AWS accountSeparate administrator and issuer rolesImplement managed revocation of certificatesTurn on AWS CloudTrailManage CA keys and certificatesDelete unused CAsBlock public access to your CRLsAmazon EKS application best practices @@ -66 +66 @@ Turn on CloudTrail logging before you create and start operating a private CA. W -## Rotate the CA private key +## Manage CA keys and certificates @@ -68 +68,9 @@ Turn on CloudTrail logging before you create and start operating a private CA. W -It is a best practice to periodically update the private key for your private CA. You can update a key by importing a new CA certificate, or you can replace the private CA with a new CA. +You can manage the lifecycle of your private CA by extending its validity period or by rotating the CA key. + +### Extend the CA validity period + +You can extend the validity period of your CA by importing a new CA certificate with a longer expiration date. + +### Rotate the CA key + +Periodically rotate your CA key by replacing the private CA with a new CA. After you create the new CA, update all references to the CA ARN in your applications and services to the newly created CA ARN, and update trust stores across your infrastructure with the new CA certificate. @@ -72 +80 @@ It is a best practice to periodically update the private key for your private CA -If you replace the CA itself, be aware that the ARN of the CA changes. This would cause automation relying on a hard-coded ARN to fail. +If you replace the CA itself, be aware that the ARN of the CA changes. Hard-coded ARN references in your automation will break.