AWS ICA Change - Will our Leaf Certificates be automatically renewed and will the public key change?

0

Hello, Upon reviewing the advisory (link below) around AWS' changing of the intermediate CA's in ACM, we use certificate pinning of the Leaf Certificates in various applications. To understand how we can manage this, could anyone help us understand:

  1. Will all Leaf Certificates be automatically renewed on 7th/11th October 2022, or, will this change only come into effect at the expected renewal of each certificates?
  2. If renewed before the expected date, will this change the public key(s) of the leaf certificates?

Link: https://aws.amazon.com/blogs/security/amazon-introduces-dynamic-intermediate-certificate-authorities/

Many thanks in advance, Ben

1 Answer
1
Accepted Answer

Hi Ben,

Thanks for your question. Based on public information from the ACM team, the change will come into effect at the expected renewal time of your individual leaf certificates. Additionally, any manual renewals before certificate expiration and after October 11, 2022, at 9:00 AM Pacific Time will utilize the new signing behavior described in this blog post.

Also, per the guidance in the blog post announcing this functionality change, please keep in mind that, If you use intermediate CA information through certificate pinning, you will need to make changes and pin to an Amazon Trust Services root CA instead of an intermediate CA or leaf certificate.

awsendo
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions