AWS Security Blog

ACM will no longer cross sign certificates with Starfield Class 2 starting August 2024

October 18, 2024: We’ve updated the rollout timeline, description for certificate pinning, and FAQ to reflect the latest third-party platforms that contain Amazon Trust Services certificate authority (CA) information and to answer common customer questions.

AWS Certificate Manager (ACM) is a managed service that you can use to provision, manage, and deploy public and private TLS certificates for use with Elastic Load Balancing (ELB), Amazon CloudFront, Amazon API Gateway, and other integrated AWS services. Starting August 2024, public certificates issued from ACM will terminate at the Starfield Services G2 (G2) root with subject C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority – G2 as the trust anchor. We will no longer cross sign ACM public certificates with the GoDaddy operated root Starfield Class 2 (C2) with subject C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority.

Background

Public certificates that you request through ACM are obtained from Amazon Trust Services. Like other public CAs, Amazon Trust Services CAs have a structured trust hierarchy. A public certificate issued to you, also known as the leaf certificate, chains to one or more intermediate CAs and then to the Amazon Trust Services root CA.

The Amazon Trust Services root CAs 1 to 4 are cross signed by the Amazon Trust Services root Starfield Services G2 (G2) and further by the GoDaddy-operated Starfield Class 2 root (C2). The cross signing was done to provide broader trust because Starfield Class 2 was widely trusted when ACM was launched in 2016.

What is changing?

Starting August 2024, the last certificate in an AWS issued certificate chain will be one of the Amazon Root CAs 1 to 4 where the trust anchor is Starfield Services G2. Before this change, the last certificate in the chain that is returned by ACM is the cross-signed Starfield Services G2 root where the trust anchor could be Starfield Class 2.

Figure 1 shows the new chain, where the last certificate in an AWS issued certificate’s chain is one of the Amazon Root CAs (1 to 4), and the trust anchor is Starfield Services G2.

Figure 1: New certificate chain for ACM starting on August 2024

Figure 1: New certificate chain for ACM starting on August 2024

Figure 2 shows the old chain, where the last certificate in the chain is cross-signed by the Starfield Services C2 root.

Figure 2: Certificate chain for ACM prior to August 2024

Figure 2: Certificate chain for ACM prior to August 2024

Why are we making this change?

Starfield Class 2 is operated by GoDaddy, and GoDaddy intends to stop supporting Starfield Services C2 because some popular browsers such as Chromium and Mozilla will stop trusting Starfield Services C2 starting April 2025. Amazon, on behalf of its customers, has negotiated an extended timeline for GoDaddy to support Starfield Services C2 through December 31, 2025. Because the certificates that ACM issues are valid for 13 months, we are starting the transition now to make sure that no renewed certificates contain the Starfield Services C2 when GoDaddy stops support.

How will this change impact my use of ACM?

We don’t expect this change to impact most customers. Amazon-owned trust anchors have been established for over a decade across many devices and browsers. The Amazon-owned Starfield Services G2 is trusted on Android devices starting with later versions of Gingerbread, and by iOS starting at version 4.1. Amazon Root CAs 1 to 4 are trusted by iOS starting at version 11. A browser, application, or OS that includes the Amazon or Starfield Services G2 roots will trust public certificates obtained from ACM.

What should you do to prepare?

We expect the impact of removing Starfield Services C2 as a trust anchor to be limited to the following types of customers:

  1. Customers who don’t have one of the Amazon Trust Services root CAs in the trust store.
    • To resolve this, you can add the Amazon CAs to your trust store.
  2. Customers who pin to the cross-signed certificate or the certificate hash of Starfield Services G2 rather than the public key of the certificate.
    • Certificate pinning guidance can be found in the Amazon Trust repository.
  3. Customers who have taken a dependency on the chain length. The chain length for ACM issued public certificates will reduce from 3 to 2 as part of this change.
    • Customers who have a dependency on chain length will need to update their processes and checks to account for the new length.

Note: As a best practice, we strongly recommend that you only pin your trust to a certificate that you own completely. Don’t pin to certificates for AWS service API endpoints because you don’t own them completely. For OWASP guidance on certificate pinning, see Certificate and Public Key Pinning and Pinning Cheat Sheet.

Customers can test that their clients are able to open the Valid test certificates from the Amazon Trust Repository.

FAQ

  1. What should I do if the Amazon Trust Services CAs aren’t in my trust store?

    If your application is using a custom trust store, you must add the Amazon Trust Services root CAs to your application’s trust store. The instructions for doing this vary based on the application or service. Refer to the documentation for the application or service that you’re using.

    If your tests of any of the test URLs failed, you must update your trust store. The simplest way to update your trust store is to upgrade the operating system or browser that you’re using.

    The following operating systems use Amazon Trust Services CAs:

    • Amazon Linux (all versions of Amazon Linux 2023 and Amazon Linux 2; Amazon Linux 1 versions after April 2011)
    • Microsoft Windows versions with updates installed from May 2010, Windows 8, Windows 10, Windows 11, Windows Server 2012, and later versions
    • Mac OS X 10.4 and later versions
    • Apple iOS versions from iOS 5
    • Red Hat Enterprise Linux releases after April 2011
    • Ubuntu 12.04 LTS and later
    • Debian 6.0
    • Java 7 Update 75 and later versions, Java 8 Update 25 and later versions, all versions of Java 9 and later. We have verified this against Oracle Java. Customers can verify against Java versions offered by other vendors.

    Modern browsers trust Amazon Trust Services CAs. To update the certificate bundle in your browser, update your browser. For instructions on how to update your browser, see the update page for your browser:

  2. Why does ACM have to change the trust anchor? Why can’t ACM continue to vend certificates cross signed with C2?

    There are some rare clients who check for the validity of all the certificates in the certificate chain returned by an endpoint even when they have a shorter-path trust anchor. If ACM continues to return the chain with the G2 root cross signed by C2, such clients might check the CRL and OCSP issued by Starfield Class 2. These clients will see failures on CRL and OCSP lookup chain after the expiry of the CRLs or OCSP responses issued by Starfield Class 2.

  3. When will GoDaddy deprecate the Starfield Class 2 root?

    GoDaddy has not announced specific dates for deprecation of the Starfield Class 2 root. We are working with GoDaddy to minimize customer impact.

  4. When does the change go live?

    AWS began rolling out these changes in August 2024. New and renewed public certificates that you receive from ACM no longer contain Starfield Services C2.

  5. What if I need more time to move away from my dependency on Starfield Services C2?

    Reach out to AWS Support to understand the options available for your use case.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Certificate Manager re:Post or contact AWS Support.

Chandan Kundapur

Chandan Kundapur
Chandan is a Principal Technical Product Manager on the Amazon Certificate Manager (ACM) team. With over 15 years of cybersecurity experience, he has a passion for driving our product strategy to help AWS customers identify and secure their resources and endpoints with public and private certificates.

Georgy Sebastian

Georgy Sebastian
Georgy is a Senior Software Development Engineer at AWS Cryptography. He has a background in secure system architecture, PKI management, and key distribution. In his free time, he’s an avid reader, amateur gardener and tinkerer.

Anthony Harvey/a>

Anthony Harvey
Anthony is a Senior Security Specialist Solutions Architect for AWS in the worldwide public sector group. Prior to joining AWS, he was a chief information security officer in local government for half a decade. With his public sector experience, he has a passion for figuring out how to do more with less and leveraging that mindset to enable customers in their security journey.

Shankar Rajagopalan

Shankar Rajagopalan
Shankar is a Senior Solutions Architect at Amazon Web Services in Austin, Texas. With two decades of experience in technology consulting, he specializes in sectors such as Telecom and Engineering. His present focus revolves around Security, Compliance, and Privacy.