To post a new support question, click the Post New Topic button below.
Current Version: 4.9.1 | Sytist Manual | Common Issues | Feature Requests
Please log in or Create an account to post or reply to topics.
You will still receive notifications of replies to topics you are part of even if you do not subscribe to new topic emails.
Received An Email From Amazon S3 - Question
M
Michael Weeks
296 posts
Thu Mar 19, 20 4:04 AM CST
just received this and wondered if it might cause issues with Sytist
Hello,
In 2018, AWS announced a broad migration of AWS services’ SSL/TLS certificates to our own Certificate Authority, Amazon Trust Services. Consistent with this change, and beginning March 2021, Amazon S3 and Amazon CloudFront will begin migrating the Certificate Authority for each services’ default certificate. Using our own Certificate Authority, AWS services can better manage the security practices used to handle our default certificates.
Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts Amazon Trust Services as many AWS services have already migrated. Visit https://www.amazontrust.com/repository/ for more information about Amazon Trust Services.
To prepare for this migration, visit the announcement blog or review the FAQs below:
https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center: https://aws.amazon.com/support
Please also monitor each services’ AWS Forums page for future updates as the migration date approaches:
Amazon S3 Forum https://forums.aws.amazon.com/forum.jspa?forumID=24
Amazon CloudFront Forum https://forums.aws.amazon.com/forum.jspa?forumID=46
Frequently Asked Questions
Q1: What is changing?
The certificate authority for Amazon S3 and Amazon CloudFront’s default certificates are changing from DigiCert to Amazon Trust Services. For S3, many regions already use Amazon Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS regions to Amazon Trust Services as well. For CloudFront, all edge locations will be migrating to Amazon Trust Services.
This does change does not impact workloads that use HTTP only or use a custom SSL/TLS certificate.
Q2: When are these changes occurring?
The changes in Certificate Authority will begin rolling out on March 1, 2021.
Q3: What do I need to do?
Evaluate whether your applications trust Amazon Trust Services’ root certificates. If your application does not trust Amazon Trust Services, perform one of the following two actions. Resolution option 1, update your client certificate trust store to include all of Amazon Trust Services’ root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an SSL/TLS certificate from an already trusted Certificate Authority.
Q4: How do I test if my application trust Amazon Trust Services?
Verify your application works with Amazon Trust Services issued certificates, by performing one of the following tests from within your application. Test option 1, fetch the object https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image. Test option 2, create an S3 bucket in your AWS account in any of the following regions (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1) and fetch a test object.
Q5: What root certificates are part of Amazon Trust Services?
Refer to https://www.amazontrust.com/repository/ for the current list.
Q6: What happens after March 1, 2021 if my clients do not trust Amazon Trust Services’ Certificate Authorities?
All client requests made to a default Amazon S3 or Amazon CloudFront endpoint will receive a default certificate issued from Amazon Trust Services. If the client trust store does not trust the Certificate Authority, it may close the connection and report the SSL certificate as “untrusted.”
Sincerely,
Amazon Web Services
Hello,
In 2018, AWS announced a broad migration of AWS services’ SSL/TLS certificates to our own Certificate Authority, Amazon Trust Services. Consistent with this change, and beginning March 2021, Amazon S3 and Amazon CloudFront will begin migrating the Certificate Authority for each services’ default certificate. Using our own Certificate Authority, AWS services can better manage the security practices used to handle our default certificates.
Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts Amazon Trust Services as many AWS services have already migrated. Visit https://www.amazontrust.com/repository/ for more information about Amazon Trust Services.
To prepare for this migration, visit the announcement blog or review the FAQs below:
https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center: https://aws.amazon.com/support
Please also monitor each services’ AWS Forums page for future updates as the migration date approaches:
Amazon S3 Forum https://forums.aws.amazon.com/forum.jspa?forumID=24
Amazon CloudFront Forum https://forums.aws.amazon.com/forum.jspa?forumID=46
Frequently Asked Questions
Q1: What is changing?
The certificate authority for Amazon S3 and Amazon CloudFront’s default certificates are changing from DigiCert to Amazon Trust Services. For S3, many regions already use Amazon Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS regions to Amazon Trust Services as well. For CloudFront, all edge locations will be migrating to Amazon Trust Services.
This does change does not impact workloads that use HTTP only or use a custom SSL/TLS certificate.
Q2: When are these changes occurring?
The changes in Certificate Authority will begin rolling out on March 1, 2021.
Q3: What do I need to do?
Evaluate whether your applications trust Amazon Trust Services’ root certificates. If your application does not trust Amazon Trust Services, perform one of the following two actions. Resolution option 1, update your client certificate trust store to include all of Amazon Trust Services’ root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an SSL/TLS certificate from an already trusted Certificate Authority.
Q4: How do I test if my application trust Amazon Trust Services?
Verify your application works with Amazon Trust Services issued certificates, by performing one of the following tests from within your application. Test option 1, fetch the object https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image. Test option 2, create an S3 bucket in your AWS account in any of the following regions (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1) and fetch a test object.
Q5: What root certificates are part of Amazon Trust Services?
Refer to https://www.amazontrust.com/repository/ for the current list.
Q6: What happens after March 1, 2021 if my clients do not trust Amazon Trust Services’ Certificate Authorities?
All client requests made to a default Amazon S3 or Amazon CloudFront endpoint will receive a default certificate issued from Amazon Trust Services. If the client trust store does not trust the Certificate Authority, it may close the connection and report the SSL certificate as “untrusted.”
Sincerely,
Amazon Web Services
Edited Fri Mar 20, 20 4:55 AM by Tim - PicturesPro.com
Tim - PicturesPro.com
16,207 posts
(admin)
Thu Mar 19, 20 11:31 AM CST
To the best of my knowledge there will be nothing that will need to be done.
Tim Grissett, DIA - PicturesPro.com
My Email Address: info@picturespro.com
My Email Address: info@picturespro.com
Please log in or Create an account to post or reply to topics.
Loading more pages