diff --git a/.changelog/39211.txt b/.changelog/39211.txt
new file mode 100644
index 00000000000..77ec5016be4
--- /dev/null
+++ b/.changelog/39211.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_networkfirewall_tls_inspection_configuration: Fix issue where `check_certificate_revovation_status` is ignored due to bad autoflex field mapping
+```
\ No newline at end of file
diff --git a/internal/service/networkfirewall/tls_inspection_configuration.go b/internal/service/networkfirewall/tls_inspection_configuration.go
index a1bd1b65a4e..e729b2a7b0f 100644
--- a/internal/service/networkfirewall/tls_inspection_configuration.go
+++ b/internal/service/networkfirewall/tls_inspection_configuration.go
@@ -646,10 +646,10 @@ type tlsInspectionConfigurationModel struct {
 }
 
 type serverCertificateConfigurationModel struct {
-	CertificateAuthorityARN           fwtypes.ARN                                                                   `tfsdk:"certificate_authority_arn"`
-	CheckCertificateRevocationsStatus fwtypes.ListNestedObjectValueOf[checkCertificateRevocationStatusActionsModel] `tfsdk:"check_certificate_revocation_status"`
-	Scopes                            fwtypes.ListNestedObjectValueOf[serverCertificateScopeModel]                  `tfsdk:"scope"`
-	ServerCertificates                fwtypes.ListNestedObjectValueOf[serverCertificateModel]                       `tfsdk:"server_certificate"`
+	CertificateAuthorityARN          fwtypes.ARN                                                                   `tfsdk:"certificate_authority_arn"`
+	CheckCertificateRevocationStatus fwtypes.ListNestedObjectValueOf[checkCertificateRevocationStatusActionsModel] `tfsdk:"check_certificate_revocation_status"`
+	Scopes                           fwtypes.ListNestedObjectValueOf[serverCertificateScopeModel]                  `tfsdk:"scope"`
+	ServerCertificates               fwtypes.ListNestedObjectValueOf[serverCertificateModel]                       `tfsdk:"server_certificate"`
 }
 
 type checkCertificateRevocationStatusActionsModel struct {
diff --git a/internal/service/networkfirewall/tls_inspection_configuration_test.go b/internal/service/networkfirewall/tls_inspection_configuration_test.go
index 6ce206e9bea..3e18c7d0bd6 100644
--- a/internal/service/networkfirewall/tls_inspection_configuration_test.go
+++ b/internal/service/networkfirewall/tls_inspection_configuration_test.go
@@ -220,11 +220,18 @@ func TestAccNetworkFirewallTLSInspectionConfiguration_checkCertificateRevocation
 	commonName := acctest.RandomDomain()
 	certificateDomainName := commonName.RandomSubdomain().String()
 	resourceName := "aws_networkfirewall_tls_inspection_configuration.test"
+	testExternalProviders := map[string]resource.ExternalProvider{
+		"tls": {
+			Source:            "hashicorp/tls",
+			VersionConstraint: "4.0.5",
+		},
+	}
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) },
 		ErrorCheck:               acctest.ErrorCheck(t, names.NetworkFirewall),
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		ExternalProviders:        testExternalProviders,
 		CheckDestroy:             testAccCheckTLSInspectionConfigurationDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
@@ -232,8 +239,8 @@ func TestAccNetworkFirewallTLSInspectionConfiguration_checkCertificateRevocation
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckTLSInspectionConfigurationExists(ctx, resourceName, &v),
 					acctest.MatchResourceAttrRegionalARN(resourceName, names.AttrARN, "network-firewall", regexache.MustCompile(`tls-configuration/+.`)),
-					resource.TestCheckNoResourceAttr(resourceName, "certificate_authority"),
-					resource.TestCheckResourceAttr(resourceName, "certificates.#", acctest.Ct1),
+					resource.TestCheckNoResourceAttr(resourceName, "certificates"),
+					resource.TestCheckResourceAttr(resourceName, "certificate_authority.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, names.AttrDescription, "test"),
 					resource.TestCheckResourceAttr(resourceName, "encryption_configuration.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "encryption_configuration.0.key_id", "AWS_OWNED_KMS_KEY"),
@@ -243,7 +250,7 @@ func TestAccNetworkFirewallTLSInspectionConfiguration_checkCertificateRevocation
 					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, acctest.Ct0),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.#", acctest.Ct1),
-					resource.TestCheckNoResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.certificate_authority_arn"),
+					resource.TestCheckResourceAttrSet(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.certificate_authority_arn"),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.check_certificate_revocation_status.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.check_certificate_revocation_status.0.revoked_status_action", "REJECT"),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.check_certificate_revocation_status.0.unknown_status_action", "PASS"),
@@ -260,7 +267,7 @@ func TestAccNetworkFirewallTLSInspectionConfiguration_checkCertificateRevocation
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.scope.0.source_ports.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.scope.0.source_ports.0.from_port", "1024"),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.scope.0.source_ports.0.to_port", "65534"),
-					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.server_certificate.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.server_certificate.#", acctest.Ct0),
 					resource.TestCheckResourceAttrSet(resourceName, "tls_inspection_configuration_id"),
 					resource.TestCheckResourceAttrSet(resourceName, "update_token"),
 				),
@@ -276,8 +283,8 @@ func TestAccNetworkFirewallTLSInspectionConfiguration_checkCertificateRevocation
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckTLSInspectionConfigurationExists(ctx, resourceName, &v),
 					acctest.MatchResourceAttrRegionalARN(resourceName, names.AttrARN, "network-firewall", regexache.MustCompile(`tls-configuration/+.`)),
-					resource.TestCheckNoResourceAttr(resourceName, "certificate_authority"),
-					resource.TestCheckResourceAttr(resourceName, "certificates.#", acctest.Ct1),
+					resource.TestCheckNoResourceAttr(resourceName, "certificates"),
+					resource.TestCheckResourceAttr(resourceName, "certificate_authority.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, names.AttrDescription, "test"),
 					resource.TestCheckResourceAttr(resourceName, "encryption_configuration.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "encryption_configuration.0.key_id", "AWS_OWNED_KMS_KEY"),
@@ -287,7 +294,7 @@ func TestAccNetworkFirewallTLSInspectionConfiguration_checkCertificateRevocation
 					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, acctest.Ct0),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.#", acctest.Ct1),
-					resource.TestCheckNoResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.certificate_authority_arn"),
+					resource.TestCheckResourceAttrSet(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.certificate_authority_arn"),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.check_certificate_revocation_status.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.check_certificate_revocation_status.0.revoked_status_action", "DROP"),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.check_certificate_revocation_status.0.unknown_status_action", "PASS"),
@@ -304,7 +311,7 @@ func TestAccNetworkFirewallTLSInspectionConfiguration_checkCertificateRevocation
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.scope.0.source_ports.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.scope.0.source_ports.0.from_port", "1024"),
 					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.scope.0.source_ports.0.to_port", "65534"),
-					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.server_certificate.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "tls_inspection_configuration.0.server_certificate_configuration.0.server_certificate.#", acctest.Ct0),
 					resource.TestCheckResourceAttrSet(resourceName, "tls_inspection_configuration_id"),
 					resource.TestCheckResourceAttrSet(resourceName, "update_token"),
 				),
@@ -417,6 +424,39 @@ resource "aws_acm_certificate" "test" {
 `, rName, commonName, certificateDomainName)
 }
 
+func testAccTLSInspectionConfigurationConfig_certificateCheckCertificateRevocationStatus(commonName, certificateDomainName string) string {
+	return fmt.Sprintf(`
+resource "tls_private_key" "test" {
+  algorithm = "RSA"
+}
+
+resource "tls_self_signed_cert" "test" {
+  private_key_pem = tls_private_key.test.private_key_pem
+
+  subject {
+    common_name = %[1]q
+  }
+
+  is_ca_certificate    = true
+  set_subject_key_id   = true
+  set_authority_key_id = true
+
+  validity_period_hours = 9000
+
+  allowed_uses = [
+    "cert_signing",
+    "crl_signing",
+    "digital_signature"
+  ]
+}
+
+resource "aws_acm_certificate" "test" {
+  private_key      = tls_private_key.test.private_key_pem
+  certificate_body = tls_self_signed_cert.test.cert_pem
+}
+`, commonName, certificateDomainName)
+}
+
 func testAccTLSInspectionConfigurationConfig_basic(rName, commonName, certificateDomainName string) string {
 	return acctest.ConfigCompose(testAccTLSInspectionConfigurationConfig_certificateBase(rName, commonName, certificateDomainName), fmt.Sprintf(`
 resource "aws_networkfirewall_tls_inspection_configuration" "test" {
@@ -539,7 +579,7 @@ resource "aws_networkfirewall_tls_inspection_configuration" "test" {
 }
 
 func testAccTLSInspectionConfigurationConfig_checkCertificateRevocationStatus(rName, commonName, certificateDomainName, revokedStatusAction, unknownStatusAction string) string {
-	return acctest.ConfigCompose(testAccTLSInspectionConfigurationConfig_certificateBase(rName, commonName, certificateDomainName), fmt.Sprintf(`
+	return acctest.ConfigCompose(testAccTLSInspectionConfigurationConfig_certificateCheckCertificateRevocationStatus(commonName, certificateDomainName), fmt.Sprintf(`
 resource "aws_networkfirewall_tls_inspection_configuration" "test" {
   name        = %[1]q
   description = "test"
@@ -551,13 +591,11 @@ resource "aws_networkfirewall_tls_inspection_configuration" "test" {
 
   tls_inspection_configuration {
     server_certificate_configuration {
+      certificate_authority_arn = aws_acm_certificate.test.arn
       check_certificate_revocation_status {
         revoked_status_action = %[2]q
         unknown_status_action = %[3]q
       }
-      server_certificate {
-        resource_arn = aws_acm_certificate.test.arn
-      }
       scope {
         protocols = [6]