@@ -296,47 +296,6 @@ The following examples are intended as **copy/adapt templates**.
296296 ]
297297}
298298```
299- ---
300-
301- ## Signing algorithm selection (ACM PCA)
302-
303- The gateway supports an optional CAConnection setting `SigningAlgorithm` that controls the **certificate signature algorithm**
304- passed to AWS ACM PCA `IssueCertificate`.
305-
306- - If **not set**, the plugin will **auto-select** a compatible default based on the CA `KeyAlgorithm` returned by
307- `DescribeCertificateAuthority`.
308- - If **set**, the plugin validates the value and **rejects incompatible combinations** before calling AWS.
309-
310- ### Valid `SigningAlgorithm` values (AWS PCA)
311-
312- - RSA family: `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA`
313- - ECDSA family: `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA`
314- - SM2: `SM3WITHSM2`
315- - ML-DSA (post-quantum): `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87`
316-
317- ### Allowed CA key algorithm and signing algorithm combinations
318-
319- The CA key algorithm is the PCA CA **KeyAlgorithm** (not the subject key in the CSR). The signing algorithm must match the CA key family.
320-
321- | CA KeyAlgorithm | Allowed SigningAlgorithm values |
322- |---|---|
323- | `RSA_2048`, `RSA_3072`, `RSA_4096` | `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA` |
324- | `EC_prime256v1`, `EC_secp384r1`, `EC_secp521r1` | `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA` |
325- | `SM2` | `SM3WITHSM2` |
326- | `ML_DSA_44` | `ML_DSA_44` |
327- | `ML_DSA_65` | `ML_DSA_65` |
328- | `ML_DSA_87` | `ML_DSA_87` |
329-
330- ### Auto-selection defaults
331-
332- When `SigningAlgorithm` is omitted, the plugin selects:
333-
334- - RSA CAs -> `SHA256WITHRSA`
335- - EC P-256 -> `SHA256WITHECDSA`
336- - EC P-384 -> `SHA384WITHECDSA`
337- - EC P-521 -> `SHA512WITHECDSA`
338- - SM2 -> `SM3WITHSM2`
339- - ML-DSA -> exact-match (`ML_DSA_44/65/87`)
340299
341300---
342301
0 commit comments