By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSl Certificate Failure

0

In some of aws-S3 calls, I got SSL certificate verify failure.

  • Got failure for root-certificate:
Version: 3 (0x2)
        Serial Number: 6615006482407801251 (0x5bcd395912d2c1a3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=FG200FT920900358/emailAddress=support@fortinet.com
        Validity
            Not Before: Mar 18 14:38:06 2021 GMT
            Not After : Mar 19 14:38:06 2031 GMT
        Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=FG200FT920900358/emailAddress=support@fortinet.com
  • while its success whenever root-cert got is:
Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
        Validity
            Not Before: Jun 29 17:39:16 2004 GMT
            Not After : Jun 29 17:39:16 2034 GMT
        Subject: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority

Seems like the former error causing Root-CA is not present in the client machine. My question is:

  1. Where to find list of root-CAs which AWS-S3 will present to client?
  2. Is there a way to automatically update the root-certs on client, (whenever S3 introduces new certs)?
Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Private Certificate Authority
Language
English
satyam
asked 2 months ago129 views
1 Answer
0

To find the list of root certificate authorities (CAs) that AWS S3 will present to clients, you can check the AWS Private CA console at https://console.aws.amazon.com/acm-pca/home.

This will show all the available CAs, their status, type (root or subordinate), key algorithm and other details. The AWS-managed CAs that S3 uses should be listed here.

To automatically update root certificates on the client whenever S3 introduces new ones, a few options are:

Configure your client application to periodically fetch the latest list of CAs from the AWS Private CA console and update its trust store accordingly.

Use AWS Certificate Manager to provision and manage certificates. ACM will automatically rotate certificates and update them in CloudFront, S3 etc. so client applications don't need manual updates.

Leverage S3 client-side encryption which handles certificate validation and renewal without needing updates on the client-side.

profile picture
EXPERT
Giovanni Lauria
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content