AWS ICA Change - Will our Leaf Certificates be automatically renewed and will the public key change?


Hello, Upon reviewing the advisory (link below) around AWS' changing of the intermediate CA's in ACM, we use certificate pinning of the Leaf Certificates in various applications. To understand how we can manage this, could anyone help us understand:

  1. Will all Leaf Certificates be automatically renewed on 7th/11th October 2022, or, will this change only come into effect at the expected renewal of each certificates?
  2. If renewed before the expected date, will this change the public key(s) of the leaf certificates?


Many thanks in advance, Ben

2 Answers
Accepted Answer

Hi Ben,

Thanks for your question. Based on public information from the ACM team, the change will come into effect at the expected renewal time of your individual leaf certificates. Additionally, any manual renewals before certificate expiration and after October 11, 2022, at 9:00 AM Pacific Time will utilize the new signing behavior described in this blog post.

Also, per the guidance in the blog post announcing this functionality change, please keep in mind that, If you use intermediate CA information through certificate pinning, you will need to make changes and pin to an Amazon Trust Services root CA instead of an intermediate CA or leaf certificate.

answered 2 years ago
  • There is a new server certificate we integrate with that has a different expiry date than what is in this blog.

    Recommendation: Starfield Services Root Certificate Authority - G2 (December 31, 2037) New Certificate: Starfield Services Root Certificate Authority - G2 (June 28, 2034)

    This caused our integration with an AWS endpoint to fail. What is the advise on this scenario? What is the reason for the new certificate root to change expiry?


Hello, In our applications, leaf certificate got expired in Oct 2022 but there was no impact as the application has not dependency on it. We are using Root + ICA 2 in application.

Certificate chaining in Oct 2022 (Root )--- Starfield Services Root Certificate Authority - G2 || (ICA 2)-- Amazon Root CA 1 || (ICA 1)-- Amazon || (Leaf )- Client

But ACM does the renewal in Feb 2023 and application stopped working. and We found the ICA 1 was different.

Certificate chaining in Feb 2023 Root --- Starfield Services Root Certificate Authority - G2 || ICA 2-- Amazon Root CA 1 || ICA 1-- Amazon RSA 2048 M02 || Leaf - Client

Please help in knowing if the expired cert pinning was the reason or Pinning of ICA2 was the reason. We had no where pinned ICA1 which actually got change in Feb 2023

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions