- Newest
- Most votes
- Most comments
Hi Akhilesh,
Thank you for reaching out.
The Starfield Root CA certificate is a publicly trusted root certificate that has been in existence for a while and is present in most standard trust stores. The other Amazon root CAs are also publicly trusted root certificates, but are slightly newer additions to trust stores. As you mentioned, they are cross-signed by the Starfield root to provide a seamless transition while the Amazon root certificates are becoming ubiquitously included in trust stores.
The IoT servers will present a certificate chain containing the cross-signed ATS root CA as well as the Starfield intermediate CAs. As per our documentation on server authentication, some clients will allow authentication if and only if the root CA certificate is in the trust store. Using an intermediate certificate on these clients will yield an authentication failure.
The Starfield root CA has an expiration date of Dec 31 23:59:59 2037 GMT. CA certificates have an expiration date after which they cannot be used to validate a server's certificate. CA certificates might have to be replaced before their expiration date. We recommend that you make sure that you can update the root CA certificates on all of your devices or clients to help ensure ongoing connectivity and to keep up to date with security best practices.
Relevant content
- asked 24 days ago
- asked 8 months ago
- asked 3 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago