Posted On: Sep 3, 2021
AWS Certificate Manager (ACM) Private Certificate Authority (CA) announces the availability of Online Certificate Status Protocol (OCSP) for distributing certificate revocation information. When establishing an encrypted TLS connection, endpoints can use OCSP to query, in near real time, if a certificate has been revoked. Thus alerting the endpoint that the certificate should not be trusted. This feature provides a fully managed OCSP solution for notifying endpoints that certificates have been revoked without the need to manage or operate infrastructure themselves.
Previously, ACM Private CA customers could use CRLs to check revocation status for certificates issued by ACM Private CA or build and manage their own OCSP. CRLs are not suitable for endpoints with limited storage, introduce additional compute processing to access and parse, and can become stale as often clients only download CRLs on a daily or less frequent basis . Building and operating an OCSP responder requires customers to perform custom development, handle standard maintenance and respond to emergency events in case the OCSP fails.
Private CA now offers fully managed OCSP. Customers can enable OCSP with a single operation via the console, CloudFormation, API or command line with no development or deployment required for new or existing CAs. Private CA’s OCSP allows customers to deploy certificates that any TLS endpoint can query revocation status on directly, moving the storage and processing requirements to the OCSP responder and solving the stale status issue. Customers who issue certificates can now choose OCSP, Certificate Revocation Lists (CRLs) or both to distribute revocation information for their private certificates.
Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. CA administrators can use Private CA to create a complete CA hierarchy, including online root and subordinate CAs, with no need for external CAs. With Private CA, you can create private certificates for your resources in one place with a secure, pay as you go, managed private CA service. The OCSP feature is an add-on option for Private CA. Pricing for the OCSP feature can be found on the public ACM Private CA pricing page.
The CA OCSP feature is available in all Private CA supported regions except AWS GovCloud. For a list of regions where Private CA is available, see
AWS Regions and Endpoints
.
To get started with Private CA visit the Getting Started page.