AWS Storage Blog
Reminder: Amazon S3 and Amazon CloudFront service certificates migrating to Amazon Trust Services starting March 23, 2021
Update (June 2022): On June 16th, 2021 12:00 PM PDT, Amazon CloudFront finished the migration of CloudFront’s default certificate from DigiCert to the Amazon Trust Services (ATS) Certificate Authority (CA). At this time, all CloudFront edge locations are serving CloudFront’s default certificate from the new ATS CA.
On June 2nd, 2022 12:00 PM PDT, Amazon S3 finished the migration of Amazon S3’s default certificates from DigiCert to Amazon Trust Services (ATS). At this time, all client HTTPS requests made to a default Amazon S3 endpoint will receive the service’s default certificate issued from ATS.
This is a reminder that Amazon S3 and Amazon CloudFront are migrating their default TLS certificates from DigiCert to Amazon Trust Services, beginning on March 23, 2021. In 2018, AWS announced a broad migration of AWS services’ TLS certificates to our own Certificate Authority, Amazon Trust Services (ATS).
Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts Amazon Trust Services as most other AWS services have already migrated.
If you do not send HTTPS traffic directly to your S3 bucket, or only use custom domains like www.example.com with your CloudFront distribution, then there is no impact and you can disregard this post. If you do send HTTPS traffic directly to your S3 bucket, which is the default behavior of the Amazon SDK, or use CloudFront domains covered by *.cloudfront.net, we recommend that you confirm that your applications trust Amazon Trust Services as a Certificate Authority. If Amazon Trust Services is not in the trust store, browsers will display an error message like https://untrusted-root.badssl.com/ and applications will show an application-specific error.
To prepare for this migration, please perform one of the following tests:
- Fetch the object from https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.
- Create an S3 bucket in any of the following AWS Regions and confirm you can fetch a test object over HTTPS: EU-WEST-3, EU-NORTH-1, ME-SOUTH-1, AP-NORTHEAST-3, AP-EAST-1, and US-GOV-EAST-1.
If either passes, then your client is ready for the migration to Amazon Trust Services.
As a more complete test to determine if each of Amazon Trust Services’ four roots are included in your client trust store, you can use the test URLs in following blog “How to Prepare for AWS’s Move to Its Own Certificate Authority”. For this migration, it is not necessary to trust the four Amazon Trust Services roots directly. It is sufficient for your application to only trust the Starfield Services Root Certificate Authority. S3 and CloudFront will present certificate chains containing an Amazon Root Certificate Authority that is cross-signed by the Starfield Service root Certificate Authority.
If either of the first two tests identified above fail, you must do one or more of the following actions:
- Upgrade your operating system or browser that you are using.
- Update your application to use CloudFront with a custom domain name and your own certificate.
- If you are using custom certificate trust stores or certificate pinning, include Amazon Trust Services’ Certificate Authorities, see the Amazon Trust Services Repository page.
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center.
Frequently Asked Questions
Q: What is changing?
A: The Certificate Authority for Amazon S3 and Amazon CloudFront’s default certificates are changing from DigiCert to Amazon Trust Services. This change does not impact workloads that use HTTP only or use a custom TLS certificate. For S3, many regions already use Amazon Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS Regions to Amazon Trust Services as well. For CloudFront, all edge location endpoints will be migrating to Amazon Trust Services.
Q: When are these changes occurring?
A: The changes in Certificate Authority will begin rolling out on March 23, 2021.
Q: What do I need to do?
A: Check your client certificate trust store to see if it already trusts Amazon Trust Services’ root certificates. If it does no further action is needed. If it does not trust Amazon Trust Services, perform one of the following actions. Resolution option 1, update your client certificate trust store to include all of Amazon Trust Services’ root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an TLS certificate from an already trusted Certificate Authority.
Q: How do I test if my application trust Amazon Trust Services?
You can verify your application trusts Amazon Trust Services by performing one of the following tests from within your application.
Test option 1, fetch the object https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.
Test option 2, create an S3 bucket in your AWS account in any of the following regions (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1) and fetch a test object over HTTPS.
Q: What root certificates are part of Amazon Trust Services?
A: Refer to the Amazon Trust Services Repository page.
Q: What happens after March 23, 2021 if my clients do not trust Amazon Trust Services’ Certificate Authorities?
A: All client HTTPS requests made to a default Amazon S3 or Amazon CloudFront endpoint will receive the services’ default certificate issued from Amazon Trust Services. If the client trust store does not trust the Certificate Authority, it will report the TLS certificate as “untrusted” and may close the connection.