# Document History
The following table describes significant changes to this documentation since January 2018. In addition to major changes listed here, we also update the documentation frequently to improve the descriptions and examples, and to address the feedback that you send to us. To be notified about significant changes, use the link in the upper right corner to subscribe to the RSS feed.
| Change | Description | Date |
| --- |--- |--- |
| [Updated best practices for CA key management](#dochistory) | Restructured the CA key rotation best practices into separate guidance for extending CA validity periods and rotating CA keys. For more information, see [Manage CA keys and certificates](https://docs.aws.amazon.com/privateca/latest/userguide/ca-best-practices.html#rotate-keys). | April 10, 2026 |
| [Documentation update](https://docs.aws.amazon.com/privateca/latest/userguide/PcaKubernetes.html) | Updated the [Secure Kubernetes with AWS Private Certificate Authority](https://docs.aws.amazon.com/privateca/latest/userguide/PcaKubernetes.html) with a new getting started procedure, examples, and monitoring and troubleshooting topics. | October 1, 2025 |
| [Dual-stack support](dual-stack-endpoint-support.md) | AWS Private Certificate Authority supports dual-stack. | June 23, 2025 |
| [Child domain support for Connector for AD is now generally available](https://docs.aws.amazon.com//privateca/latest/userguide/connector-for-ad-getting-started-prerequisites.html) | You can now set up Connector for AD with your child domain. | June 2, 2025 |
| [New managed policy: `AWSPrivateCAConnectoForKubernetesPolicy`](auth-AwsManagedPolicies.md#managed-policy-updates) | New managed policy introduced for use with AWS Private CA Connector for Kubernetes. | May 19, 2025 |
| [Updated `AWSPrivateCAPrivilegedUser` and `AWSPrivateCAUser` managed policies](auth-AwsManagedPolicies.md#managed-policy-updates) | Replaced `StringLike` with `ArnLike` in `AWSPrivateCAUser` and `AWSPrivateCAPrivilegedUser`. Updated template ARN to include wild cards `arn:aws:acm-pca:::template` to `arn:aws:acm-pca:*:*:template`. | January 22, 2025 |
| [Connector for SCEP is now generally available](connector-for-scep.md) | Connector for SCEP is now generally available. | September 16, 2024 |
| [New troubleshooting topic](c4adTroubleshootingUpdatedTemplate.md) | Added a new topic that helps you to troubleshoot issues related to updating your Connector for Active Directory templates. | July 31, 2024 |
| [Added how to update Connector for AD templates](update-template-connector-for-ad.md) | Added a procedure describing how to update a Connector for AD template, and how AWS Private CA propagates those updates. | July 31, 2024 |
| [Connector for SCEP for Omnissa Workspace ONE is now generally available](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep-omnissa.html) | Connector for SCEP for Omnissa Workspace ONE is now generally available. | July 23, 2024 |
| [Added constraint for audit reports](PcaAuditReport.md#s3-access) | AWS Private CA doesn't support the use of Amazon S3 Object Lock with buckets used for audit reports. | July 3, 2024 |
| [Now supports SM2 for China Region](PcaWelcome.md#supported-algorithms) | AWS Private CA now supports the SM2 signing algorithm, for China Region only. | June 27, 2024 |
| [AWS Private CA now supports Connector for SCEP (Preview)](connector-for-scep.md) | Use Connector for SCEP to link AWS Private CA to your SCEP-enabled clients and devices. | June 11, 2024 |
| [New connector troubleshooting guidance](c4adTroubleshootingError.md) | Added new sections on troubleshooting connector and SPN creation failures. | April 4, 2024 |
| [Adding CDP extension for Matter](API-CBR-intro.md) | Adds support for the Certificate Revocation List Distribution Point (CDP) extension for Matter. | January 25, 2024 |
| [AWS Private CA API support for mDL](MDL-intro.md) | Added API support for creating certificates that conform to the [ISO/IEC standard for mobile driving license (mDL)](https://www.iso.org/standard/69084.html). | January 16, 2024 |
| [AWS Private CA Connector for Active Directory](#dochistory) | User guide, API, and CLI support for Connector for AD. For more information, see the [Connector for AD](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-ad.html) documentation. | August 24, 2023 |
| [Changing security policy names to match new service name](#dochistory) | Adoption of new names for AWS managed IAM policies that specify standard permissions on AWS Private CA. For more information, see [AWS managed policies](https://docs.aws.amazon.com/privateca/latest/userguide/auth-AwsManagedPolicies.html). | February 13, 2023 |
| [Adding change tracker for AWS managed policies](#dochistory) | Documentation added to track changes to AWS managed IAM policies that specify standard permissions on AWS Private CA. For more information, see [Updates to AWS managed policies for AWS Private CA](https://docs.aws.amazon.com/privateca/latest/userguide/auth-AwsManagedPolicies.html#managed-policy-updates). | November 11, 2022 |
| [API and CLI support for CAs that issue short-lived certificates](#dochistory) | With the introduction of CA usage modes, a CA can be configured to issue either general-purpose or exclusively short-lived certificates. For more information, see [Certificate authority modes](https://docs.aws.amazon.com/privateca/latest/userguide/short-lived-certificates.html). | October 24, 2022 |
| [Service rebranding and console update](#dochistory) | The service is renamed to AWS Private Certificate Authority (AWS Private CA). The AWS Private CA console gets usability improvements including integrated help panels that link to complete documentation. | September 27, 2022 |
| [Matter-compliant certificate support](#dochistory) | Three new certificate templates add support for Matter-compliant CA and end-entity certificates. For more information, see [Understanding certificate templates](https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html). | July 20, 2022 |
| [New region support](#dochistory) | Endpoint added for Asia Pacific (Jakarta). For a complete list of AWS Private CA endpoints, see [ACM Private Certificate Authority Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html). | May 4, 2022 |
| [Support for Custom Attributes and Extensions](#dochistory) | Use the [CustomAttribute object](https://docs.aws.amazon.com/privateca/latest/userguide/JavaApi-CustomAttributes.html) to configure customized CAs and certificates, and the [CustomExtension object](https://docs.aws.amazon.com/privateca/latest/userguide/JavaApi-CustomExtensions.html) to configure customized certificates. | March 16, 2022 |
| [Support for Managed OCSP](#dochistory) | See [Setting up a certificate revocation method](https://docs.aws.amazon.com/privateca/latest/userguide/revocation-setup.html) for revocation options including OCSP. | August 18, 2021 |
| [Support for S3 Block Public Access feature for CRLs](#dochistory) | See [Enabling the S3 Block Public Access feature](https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#s3-bpa). | May 27, 2021 |
| [New and updated Java implementation examples](#dochistory) | See [Using the ACM Private CA API (Java Examples)](https://docs.aws.amazon.com/privateca/latest/userguide/PcaApiIntro.html). | September 9, 2020 |
| [New region support](#dochistory) | Endpoints added for Africa (Cape Town) and Europe (Milan). For a complete list of AWS Private CA endpoints, see [AWS Certificate Manager Private Certificate Authority Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html). | August 27, 2020 |
| [Cross-account private CA access supported](#dochistory) | AWS Certificate Manager users can be authorized to issue certificates using private CAs that they do not own. For more information, see [Cross-Account Access to Private CAs](https://docs.aws.amazon.com/privateca/latest/userguide/pca-resource-sharing.html). | August 17, 2020 |
| [VPC endpoints (PrivateLink) support](#dochistory) | Added support for use of VPC endpoints (AWSPrivateLink) for enhanced network security. For more information, see [ACM Private CA VPC Endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/privateca/latest/userguide/vpc-endpoints.html). | March 26, 2020 |
| [Dedicated security section added](#dochistory) | Security documentation for AWS has been consolidated into a dedicated security section. For information about security, see [Security in AWS Certificate Manager Private Certificate Authority](https://docs.aws.amazon.com/privateca/latest/userguide/security.html). | March 26, 2020 |
| [Template ARN added to audit reports.](#dochistory) | For more information, see [Creating an Audit Report for Your Private CA](https://docs.aws.amazon.com/privateca/latest/userguide/PcaAuditReport.html). | March 6, 2020 |
| [CloudFormation support](#dochistory) | Support added for CloudFormation. For more information, see [ACMPCA Resource Type Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ACMPCA.html) in the CloudFormation User Guide. | January 22, 2020 |
| [CloudWatch Events integration](#dochistory) | Integration with CloudWatch Events for asynchronous events, including CA creation, certificate issuance, and CRL creation. For more information, see [Using CloudWatch Events](https://docs.aws.amazon.com/privateca/latest/userguide/CloudWatchEvents.html). | December 23, 2019 |
| [FIPS endpoints](#dochistory) | FIPS endpoints added for AWS GovCloud (US-East) and AWS GovCloud (US-West). For a complete list of AWS Private CA endpoints, see [AWS Certificate Manager Private Certificate Authority Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html). | December 13, 2019 |
| [Tag-based permissions](#dochistory) | Tag-based permissions supported using the new APIs `TagResource`, `UntagResource`, and `ListTagsForResource`. For general information about tag-based controls, see [Controlling Access to and for IAM Users and Roles Using IAM Resource Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html). | November 5, 2019 |
| [Name constraints enforcement](#dochistory) | Added support for enforcing subject name constraints on imported CA certificates. For more information, see [Enforcing Name Constraints on a Private CA](https://docs.aws.amazon.com/privateca/latest/userguide/name_constraints.html). | October 28, 2019 |
| [New certificate templates](#dochistory) | New certificate templates added, including templates for code signing with AWS Signer. For more information, see [Using Templates](https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html). | October 1, 2019 |
| [Planning your CA](#dochistory) | New section added on planning your PKI using AWS Private CA. For more information, see [Planning Your ACM Private CA Deployment](https://docs.aws.amazon.com/privateca/latest/userguide/PcaPlanning.html). | September 30, 2019 |
| [Added region support](#dochistory) | Added region support for the AWS Asia Pacific (Hong Kong) Region. For a complete list of supported regions, see [AWS Certificate Manager Private Certificate Authority Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html). | July 24, 2019 |
| [Added complete private CA hierarchy support](#dochistory) | Support for creating and hosting root CAs removes need for an external parent. | June 20, 2019 |
| [Added region support](#dochistory) | Added region support for the AWS GovCloud (US-West and US-East) Regions. For a complete list of supported regions, see [AWS Certificate Manager Private Certificate Authority Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html). | May 8, 2019 |
| [Added region support](#dochistory) | Added region support for the AWS Asia Pacific (Mumbai and Seoul), US West (N. California), and EU (Paris and Stockholm) Regions. For a complete list of supported regions, see [AWS Certificate Manager Private Certificate Authority Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html). | April 4, 2019 |
| [Testing certificate renewal workflow](#dochistory) | Customers can now manually test the configuration of their ACM managed renewal workflow. For more information, see [Testing ACM's Managed Renewal Configuration](https://docs.aws.amazon.com/acm/latest/userguide/manual-renewal.html). | March 14, 2019 |
| [Added region support](#dochistory) | Added region support for the AWS EU (London) Region. For a complete list of supported regions, see [AWS Certificate Manager Private Certificate Authority Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html). | August 1, 2018 |
| [Restore deleted CAs](#dochistory) | Private CA restore allows customers to restore certificate authorities (CAs) for up to 30 days after they have been deleted. For more information, see [Restoring Your Private CA](https://docs.aws.amazon.com/privateca/latest/userguide/PCARestoreCA.html). | June 20, 2018 |
## Earlier Updates
The following table describes the documentation release history of AWS Private Certificate Authority before June 2018.
****
| Change | Description | Date |
| --- | --- | --- |
| New guide | This release introduces AWS Private Certificate Authority. | April 04, 2018 |