AWS Certificate Manager is a managed service that you can use to provision, manage, and deploy public and private TLS certificates for use with Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, and other integrated AWS services.
Starting August 2024, public certificates issued from ACM will terminate at the Starfield Services G2 root with subject C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2 as the trust anchor.
We will no longer cross sign ACM public certificates with the GoDaddy operated root Starfield Class 2 with subject C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority.
Public certificates that you request through ACM are obtained from Amazon Trust Services.
A public certificate issued to you, also known as the leaf certificate, chains to one or more intermediate CAs and then to the Amazon Trust Services root CA. The Amazon Trust Services root CAs 1 to 4 are cross signed by the Amazon Trust Services root Starfield Services G2 and further by the GoDaddy operated Starfield Class 2 root.
The cross signing was done to provide broader trust because Starfield Class 2 was widely trusted when ACM was launched in 2016.
Starting August 2024, the last certificate in an AWS issued certificate chain will be one of Amazon Root CAs 1 to 4 where the trust anchor is Starfield Services G2. Currently, the last certificate in the chain that is returned by ACM is the cross-signed Starfield Services G2 root where the trust anchor could be Starfield Class 2, as shown in Figure 1 that follows.
Current chain Figure 1: Certificate chain for ACM prior to August 2024.
Figure 2 shows the new chain, where the last certificate in an AWS issued certificate's chain is one of the Amazon Root CAs, and the trust anchor is Starfield Services G2. Figure 2: New certificate chain for ACM starting on August 2024.
To align with this, ACM is removing the trust anchor dependency on the C2 root.
Amazon owned trust anchors have been established for over a decade across many devices and browsers.
The Amazon owned Starfield Services G2 is trusted on Android devices starting with later versions of Gingerbread, and by iOS starting at version 4.1.
Amazon Root CAs 1 to 4 are trusted by iOS starting at version 11.
Customers who don't have one of the Amazon Trust Services root CAs in the trust store.
Customers who pin to the cross-signed certificate or the certificate hash of Starfield Services G2 rather than the public key of the certificate.
The chain length for ACM issued public certificates will reduce from 3 to 2 as part of this change.
Customers can test that their clients are able to open the Valid test certificates from the Amazon Trust Repository.
If your application is using a custom trust store, you must add the Amazon Trust Services root CAs to your application's trust store.
The simplest way to update your trust store is to upgrade the operating system or browser that you're using.
If ACM continues to return the chain with the G2 root cross signed by C2, such clients might check the CRL and OCSP issued by Starfield Class 2.
This Cyber News was published on aws.amazon.com. Publication date: Thu, 27 Jun 2024 20:43:06 +0000