![]() What should I do if the Amazon Trust Services CAs are not in my trust store? If the test URL doesn’t work, you will receive an error message that indicates the connection has failed. If the test URL works, you should see a message that says Expected Status: Good, along with the certificate chain. To test that your trust store contains the Amazon Trust Services root CA, see the preceding table, which lists the Amazon Trust Services root CA certificates, and choose each test URL in the table. Amazon Trust Services root CA certificates Distinguished name When you pin to an Amazon Trust Services root CA, you should pin to all of the root CAs shown in the following table. However, if your use case requires certificate pinning, AWS recommends that you pin to an Amazon Trust Services root CA instead of an intermediate CA or leaf certificate. AWS recommends that you don’t use certificate pinning because it introduces an availability risk. If the pinned certificate is replaced, your application won’t initiate the connection. Certificate pinning is a process in which your application that initiates the TLS connection only trusts a specific public certificate through one or more certificate variables that you define. If you use intermediate CA information through certificate pinning, you will need to make changes and pin to an Amazon Trust Services root CA instead of an intermediate CA or leaf certificate. If you’re using one of the standard operating systems and web browsers that are listed in the next section of this post, you don’t need to take any action. Browsers and most applications will continue to work just as they do now, because these services trust the Amazon Trust Services root CA and not a specific intermediate CA. Most customers won’t experience an impact from this change. This change also presents an opportunity to correct a known issue related to delayed revocation of a subordinate CA and help minimize the scope of impact for new risks that might emerge in the future. Before this change, Amazon maintained a limited number of intermediate CAs and issued and renewed certificates from the same intermediate CAs.Īmazon is making this change to create a more resilient and agile certificate infrastructure that will help us respond more quickly to future requirements. With this change, leaf certificates issued to you will be signed by different intermediate CAs. These intermediate CAs chain to an existing Amazon Trust Services root CA. Starting Octoat 9:00 AM Pacific Time, public certificates obtained through ACM will be issued from one of the multiple intermediate CAs that Amazon manages. This is why Amazon can issue public certificates that are trusted by these systems. The Amazon Trust Services root CA is trusted by default by most browsers and operating systems. ![]() The public certificate issued to you, also known as the leaf certificate, can chain to one or more intermediate CAs and then to the Amazon Trust Services root CA. Like other public CAs, Amazon Trust Services CAs have a structured trust hierarchy. ![]() Public certificates that you request through ACM are obtained from Amazon Trust Services, which is a public certificate authority (CA) that Amazon manages. In this blog post, we share important details about this change and how you can prepare. Starting October 11, 2022, at 9:00 AM Pacific Time, public certificates obtained through ACM will be issued from one of the multiple intermediate certificate authorities (CAs) that Amazon manages. September 30, 2022: This blog post has been updated to include the addition of the CN=Starfield Services Root Certificate Authority – G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US root in the Amazon Trust Services root CA certificate chart.ĪWS Certificate Manager (ACM) is a managed service that lets you provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Amazon Web Services (AWS) and your internal connected resources. October 7, 2022: This blog post has been updated to include a Frequently Asked Questions section at the end. February 27, 2023: We’ve updated question and answer #3 on this blog post. ![]()
0 Comments
Leave a Reply. |