- Newest
- Most votes
- Most comments
Hi Ben,
Thanks for your question. Based on public information from the ACM team, the change will come into effect at the expected renewal time of your individual leaf certificates. Additionally, any manual renewals before certificate expiration and after October 11, 2022, at 9:00 AM Pacific Time will utilize the new signing behavior described in this blog post.
Also, per the guidance in the blog post announcing this functionality change, please keep in mind that, If you use intermediate CA information through certificate pinning, you will need to make changes and pin to an Amazon Trust Services root CA instead of an intermediate CA or leaf certificate.
Hello, In our applications, leaf certificate got expired in Oct 2022 but there was no impact as the application has not dependency on it. We are using Root + ICA 2 in application.
Certificate chaining in Oct 2022 (Root )--- Starfield Services Root Certificate Authority - G2 || (ICA 2)-- Amazon Root CA 1 || (ICA 1)-- Amazon || (Leaf )- Client
But ACM does the renewal in Feb 2023 and application stopped working. and We found the ICA 1 was different.
Certificate chaining in Feb 2023 Root --- Starfield Services Root Certificate Authority - G2 || ICA 2-- Amazon Root CA 1 || ICA 1-- Amazon RSA 2048 M02 || Leaf - Client
Please help in knowing if the expired cert pinning was the reason or Pinning of ICA2 was the reason. We had no where pinned ICA1 which actually got change in Feb 2023
Relevant content
- asked 2 years ago
- asked a year ago
- asked 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
There is a new server certificate we integrate with that has a different expiry date than what is in this blog.
Recommendation: Starfield Services Root Certificate Authority - G2 (December 31, 2037) New Certificate: Starfield Services Root Certificate Authority - G2 (June 28, 2034)
This caused our integration with an AWS endpoint to fail. What is the advise on this scenario? What is the reason for the new certificate root to change expiry?