Is my application impacted by the migration of Amazon S3 and Amazon CloudFront certificates to Amazon Trust Services?

Short description

As of March 23, 2021, AWS will start migrating the Secure Sockets Layer/Transport Layer Security (SSL/TLS) CA for Amazon S3 and CloudFront from DigiCert to Amazon Trust Services.

Application traffic that matches any of the following scenarios isn't impacted by this migration:

• HTTP traffic
• HTTPS traffic to CloudFront using custom domains and certificates
• HTTPS traffic to S3 buckets in AWS Regions where S3 is already using Amazon Trust Services for its certificates (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, or us-gov-east-1)

Resolution

You must confirm that your applications trust Amazon Trust Services as a CA if either of the following is true:

• You send HTTPS traffic directly to S3 buckets in Regions that aren't listed above.
• You send HTTPS traffic to CloudFront domains that are covered by *.cloudfront.net.

If you use other AWS services, your application might already trust Amazon Trust Services. Many AWS services, such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon DynamoDB, already migrated their CAs.

Certificates issued by Amazon Trust Services are already included in trust stores across most web browsers, operating systems, and applications. You might not need to update your configurations to handle the migration, but there are exceptions. If you build custom certificate trust stores or use certificate pinning, then you might need to update your configurations. If Amazon Trust Services isn't in your trust store, you'll see error messages in browsers (see Example) and applications.

To verify if Amazon Trust Services is in your trust store, run one of following tests from the system that you're using to connect to an Amazon S3 or CloudFront endpoint:

• Retrieve a test object from this test URL. Then, verify that you are either getting a 200 response or seeing the green check mark in the test image.
• Create an Amazon S3 bucket in one of the following AWS Regions: eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, or us-gov-east-1. (S3 buckets in these Regions already use Amazon Trust Services certificates.) Then, retrieve a test object from the bucket over HTTPS.

If any of these tests are successful, then your client is ready for migration to Amazon Trust Services.

To verify that each of the four root CAs of Amazon Trust Services are included in your trust store, do the following:

• Choose each Test URL in the list of Amazon Trust Services certificates.
• Verify that the Test URLs work for you.

For this migration, your application doesn't need to trust the Amazon Trust Services' root CAs directly. It's sufficient if your application trusts the Starfield Services Root CA. Amazon S3 and CloudFront will present certificate chains with an Amazon root CA that's cross-signed by the Starfield Service Root CA.

If any of the first two tests fail, then the Amazon Trust Services CAs aren't in your trust store. Update your trust store to include the Amazon Trust Services CAs by doing one or more of the following:

• Upgrade your operating system or web browser.
• Update your application to use CloudFront with a custom domain name and your own certificate.
• If your application is using a custom trust store, then you must add the Amazon root CAs to your application's trust store.
• If you're using certificate pinning to lock down the CAs that you trust, then you must adjust your pinning to include the Amazon Trust Services CAs.
• Most AWS SDKs and AWS Command Line Interfaces (AWS CLIs) aren't impacted by the migration. But if you're using a version of the Python AWS SDK or AWS CLI released before October 29, 2013, then you must upgrade your certificates.
  Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Related information

How to prepare for AWS move to its own Certificate Authority