To post a new support question, click the Post New Topic button below.
Current Version: 4.9.1 | Sytist Manual | Common Issues | Feature Requests
Please log in or Create an account to post or reply to topics.
You will still receive notifications of replies to topics you are part of even if you do not subscribe to new topic emails.
Amazon Trust Services Certificates
J
Jeff Lenkowski
6 posts
Tue Feb 16, 21 8:52 PM CST
Hi Tim,
We received this email from Amazon AWS and are wondering if you know what we need to do, if anything. I suspect Sytist sends https traffic directly to the S3 bucket as mentioned in the first paragraph.
Thank you!
Jeff
Hello,
This is a reminder that Amazon Simple Storage Service (S3) and Amazon CloudFront are both migrating their services’ certificates from DigiCert to Amazon Trust Services starting March 23, 2021. If you do not send HTTPS traffic directly to your S3 bucket, or only use custom domains like www.example.com with your CloudFront distribution, then there is no impact and you can disregard this message. If you do send HTTPS traffic directly to your S3 bucket, or use CloudFront domains covered by *.cloudfront.net, please continue reading and review the FAQ below on which certificates are migrating.
The Amazon Trust Services Certificate Authority originates from AWS’ purchase of the Starfield Services Certificate Authority which has been valid since 2005. This means you shouldn’t have to take any action to use the certificates issued by Amazon Trust Services as it is already included in common trust stores across most web browsers, operating systems, and applications. However, if you build custom certificate trust stores or use certificate pinning, you may need to alter your configurations. As a best practice, we recommend verifying Amazon Trust Services is in your trust store with one of the following tests.
[1] Visit our blog at https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/ and use the test URLs there.
[2] Fetch the object from https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.
[3] Create an S3 bucket in any of the following AWS regions and confirm you can fetch a test object over HTTPS: EU-WEST-3, EU-NORTH-1, ME-SOUTH-1, AP-NORTHEAST-3, AP-EAST-1, and US-GOV-EAST-1.
If Amazon Trust Services is not in the trust store, browsers will display an error message like https://untrusted-root.badssl.com/ and applications will show an application-specific error. If any of the tests fail, you must do one or more of the following actions: [A] Upgrade your operating system or browser that you are using, [B] Update your application to use CloudFront with a custom domain name and your own certificate, or [C] if you are using custom certificate trust stores or certificate pinning, include Amazon Trust Services’ Certificate Authorities, see https://www.amazontrust.com/repository/.
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center at https://aws.amazon.com/support.
Frequently Asked Questions
Q1: Which CloudFront certificate is migrating?
CloudFront’s global wildcard *.cloudfront.net
Q2: Which S3 certificates are migrating?
S3 has several regional certificates, and its global wildcard certificate, migrating in the following AWS regions:
Global wildcard *.s3.amazonaws.com in AP-NORTHEAST-1, AP-NORTHEAST-2, AP-NORTHEAST-3, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, EU-CENTRAL-1, EU-NORTH-1, EU-WEST-1, EU-WEST-2, EU-WEST-3, SA-EAST-1, US-EAST-1, US-EAST-2, US-WEST-1, US-WEST-2
Regional wildcard *.s3.region.amazonaws.com in AP-NORTHEAST-1, AP-NORTHEAST-2, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, CN-NORTH-1, CN-NORTHWEST-1, EU-CENTRAL-1, EU-WEST-1, EU-WEST-2, SA-EAST-1, US-EAST-1, US-EAST-2, US-GOV-WEST-1, US-WEST-1, US-WEST-2
FIPS wildcard *.s3-fips-us-gov-west-1.amazonaws.com in US-GOV-WEST-1
Sincerely,
Amazon Web Services
We received this email from Amazon AWS and are wondering if you know what we need to do, if anything. I suspect Sytist sends https traffic directly to the S3 bucket as mentioned in the first paragraph.
Thank you!
Jeff
Hello,
This is a reminder that Amazon Simple Storage Service (S3) and Amazon CloudFront are both migrating their services’ certificates from DigiCert to Amazon Trust Services starting March 23, 2021. If you do not send HTTPS traffic directly to your S3 bucket, or only use custom domains like www.example.com with your CloudFront distribution, then there is no impact and you can disregard this message. If you do send HTTPS traffic directly to your S3 bucket, or use CloudFront domains covered by *.cloudfront.net, please continue reading and review the FAQ below on which certificates are migrating.
The Amazon Trust Services Certificate Authority originates from AWS’ purchase of the Starfield Services Certificate Authority which has been valid since 2005. This means you shouldn’t have to take any action to use the certificates issued by Amazon Trust Services as it is already included in common trust stores across most web browsers, operating systems, and applications. However, if you build custom certificate trust stores or use certificate pinning, you may need to alter your configurations. As a best practice, we recommend verifying Amazon Trust Services is in your trust store with one of the following tests.
[1] Visit our blog at https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/ and use the test URLs there.
[2] Fetch the object from https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.
[3] Create an S3 bucket in any of the following AWS regions and confirm you can fetch a test object over HTTPS: EU-WEST-3, EU-NORTH-1, ME-SOUTH-1, AP-NORTHEAST-3, AP-EAST-1, and US-GOV-EAST-1.
If Amazon Trust Services is not in the trust store, browsers will display an error message like https://untrusted-root.badssl.com/ and applications will show an application-specific error. If any of the tests fail, you must do one or more of the following actions: [A] Upgrade your operating system or browser that you are using, [B] Update your application to use CloudFront with a custom domain name and your own certificate, or [C] if you are using custom certificate trust stores or certificate pinning, include Amazon Trust Services’ Certificate Authorities, see https://www.amazontrust.com/repository/.
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center at https://aws.amazon.com/support.
Frequently Asked Questions
Q1: Which CloudFront certificate is migrating?
CloudFront’s global wildcard *.cloudfront.net
Q2: Which S3 certificates are migrating?
S3 has several regional certificates, and its global wildcard certificate, migrating in the following AWS regions:
Global wildcard *.s3.amazonaws.com in AP-NORTHEAST-1, AP-NORTHEAST-2, AP-NORTHEAST-3, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, EU-CENTRAL-1, EU-NORTH-1, EU-WEST-1, EU-WEST-2, EU-WEST-3, SA-EAST-1, US-EAST-1, US-EAST-2, US-WEST-1, US-WEST-2
Regional wildcard *.s3.region.amazonaws.com in AP-NORTHEAST-1, AP-NORTHEAST-2, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, CN-NORTH-1, CN-NORTHWEST-1, EU-CENTRAL-1, EU-WEST-1, EU-WEST-2, SA-EAST-1, US-EAST-1, US-EAST-2, US-GOV-WEST-1, US-WEST-1, US-WEST-2
FIPS wildcard *.s3-fips-us-gov-west-1.amazonaws.com in US-GOV-WEST-1
Sincerely,
Amazon Web Services
Tim - PicturesPro.com
16,207 posts
(admin)
Wed Feb 17, 21 7:24 AM CST
There won't be anything to do.
Tim Grissett, DIA - PicturesPro.com
My Email Address: info@picturespro.com
My Email Address: info@picturespro.com
Please log in or Create an account to post or reply to topics.
Loading more pages