This is a reminder that Amazon Simple Storage Service (S3) and Amazon CloudFront are both migrating their services’ certificates from DigiCert to Amazon Trust Services starting March 23, 2021. This includes CloudFront’s **.cloudfront.net certificate and S3’s **.s3.region.amazonaws.com and *.s3-region.amazonaws.com certificates in regions noted below.
If you do not send HTTPS traffic directly to your S3 bucket, or only use custom domains like www.example.com with your CloudFront distribution, then there is no impact and you can disregard this message.
If you do send HTTPS traffic directly to your S3 bucket, or use CloudFront domains covered by *.cloudfront.net, please continue reading.
The Amazon Trust Services Certificate Authority originates from AWS’ purchase of the Starfield Services Certificate Authority which has been valid since 2005. This means you shouldn’t have to take any action to use the certificates issued by Amazon Trust Services as it is already included in common trust stores across most web browsers, operating systems, and applications. However, if you build custom certificate trust stores or use certificate pinning, you may need to alter your configurations. If Amazon Trust Services is not in the trust store, browsers will display an error message like https://untrusted-root.badssl.com/ and applications will show an application-specific error.
To prepare for this migration, please perform one of the following tests:
[1] Fetch the object from https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.
[2] Create an S3 bucket in any of the following AWS regions and confirm you can fetch a test object over HTTPS: eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1.
If either passes, then your client is ready for the migration to Amazon Trust Services.
As a more complete test to determine if each of Amazon Trust Services’ four roots are included in your client trust store, you can use the test URLs in following blog How to Prepare for AWS’s Move to Its Own Certificate Authority. For this migration, it is not necessary to trust the four Amazon Trust Services roots directly. It is sufficient for your application to only trust the Starfield Services Root Certificate Authority. S3 and CloudFront will present certificate chains containing an Amazon Root Certificate Authority that is cross-signed by the Starfield Service root Certificate Authority.
If either of the first two tests identified above fail, you must do one or more of the following actions:
(A) Upgrade your operating system or browser that you are using, (B) Update your application to use CloudFront with a custom domain name and your own certificate, or (C) if you are using custom certificate trust stores or certificate pinning, include Amazon Trust Services’ Certificate Authorities, see https://www.amazontrust.com/repository/.
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center at https://aws.amazon.com/support.
AWS OFFICIALUpdated 3 years ago
This is an announcement migrated from AWS Forums that does not require an answer