SSl Certificate Failure

Question

In some of aws-S3 calls, I got SSL certificate verify failure. 
- Got failure for root-certificate:

```
Version: 3 (0x2)
        Serial Number: 6615006482407801251 (0x5bcd395912d2c1a3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=FG200FT920900358/emailAddress=support@fortinet.com
        Validity
            Not Before: Mar 18 14:38:06 2021 GMT
            Not After : Mar 19 14:38:06 2031 GMT
        Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=FG200FT920900358/emailAddress=support@fortinet.com
```
- while its success whenever root-cert got is:

```
Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
        Validity
            Not Before: Jun 29 17:39:16 2004 GMT
            Not After : Jun 29 17:39:16 2034 GMT
        Subject: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
```
Seems like the former error causing Root-CA is not present in the client machine. My question is:
1. Where to find list of root-CAs which AWS-S3 will present to client?
2. Is there a way to automatically update the root-certs on client, (whenever S3 introduces new certs)?

Answer

To find the list of root certificate authorities (CAs) that AWS S3 will present to clients, you can check the AWS Private CA console at https://console.aws.amazon.com/acm-pca/home.

This will show all the available CAs, their status, type (root or subordinate), key algorithm and other details. The AWS-managed CAs that S3 uses should be listed here.

To automatically update root certificates on the client whenever S3 introduces new ones, a few options are:

Configure your client application to periodically fetch the latest list of CAs from the AWS Private CA console and update its trust store accordingly.

Use AWS Certificate Manager to provision and manage certificates. ACM will automatically rotate certificates and update them in CloudFront, S3 etc. so client applications don't need manual updates.

Leverage S3 client-side encryption which handles certificate validation and renewal without needing updates on the client-side.

SSl Certificate Failure

相關內容