Reminder: HAQM S3 and HAQM CloudFront service certificates migrating to HAQM Trust Services starting March 23, 2021

Update (June 2022): On June 16th, 2021 12:00 PM PDT, HAQM CloudFront finished the migration of CloudFront’s default certificate from DigiCert to the HAQM Trust Services (ATS) Certificate Authority (CA). At this time, all CloudFront edge locations are serving CloudFront’s default certificate from the new ATS CA.

On June 2nd, 2022 12:00 PM PDT, HAQM S3 finished the migration of HAQM S3’s default certificates from DigiCert to HAQM Trust Services (ATS). At this time, all client HTTPS requests made to a default HAQM S3 endpoint will receive the service’s default certificate issued from ATS.

This is a reminder that HAQM S3 and HAQM CloudFront are migrating their default TLS certificates from DigiCert to HAQM Trust Services, beginning on March 23, 2021. In 2018, AWS announced a broad migration of AWS services’ TLS certificates to our own Certificate Authority, HAQM Trust Services (ATS).

Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts HAQM Trust Services as most other AWS services have already migrated.

If you do not send HTTPS traffic directly to your S3 bucket, or only use custom domains like www.example.com with your CloudFront distribution, then there is no impact and you can disregard this post. If you do send HTTPS traffic directly to your S3 bucket, which is the default behavior of the HAQM SDK, or use CloudFront domains covered by *.cloudfront.net, we recommend that you confirm that your applications trust HAQM Trust Services as a Certificate Authority. If HAQM Trust Services is not in the trust store, browsers will display an error message like http://untrusted-root.badssl.com/ and applications will show an application-specific error.

To prepare for this migration, please perform one of the following tests:

• Fetch the object from http://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.
• Create an S3 bucket in any of the following AWS Regions and confirm you can fetch a test object over HTTPS: EU-WEST-3, EU-NORTH-1, ME-SOUTH-1, AP-NORTHEAST-3, AP-EAST-1, and US-GOV-EAST-1.

If either passes, then your client is ready for the migration to HAQM Trust Services.

As a more complete test to determine if each of HAQM Trust Services’ four roots are included in your client trust store, you can use the test URLs in following blog “How to Prepare for AWS’s Move to Its Own Certificate Authority”. For this migration, it is not necessary to trust the four HAQM Trust Services roots directly. It is sufficient for your application to only trust the Starfield Services Root Certificate Authority. S3 and CloudFront will present certificate chains containing an HAQM Root Certificate Authority that is cross-signed by the Starfield Service root Certificate Authority.

If either of the first two tests identified above fail, you must do one or more of the following actions:

• Upgrade your operating system or browser that you are using.
• Update your application to use CloudFront with a custom domain name and your own certificate.
• If you are using custom certificate trust stores or certificate pinning, include HAQM Trust Services’ Certificate Authorities, see the HAQM Trust Services Repository page.

If you have additional questions, or require additional assistance, please open a case in the AWS Support Center.

Frequently Asked Questions

Q: What is changing?

A: The Certificate Authority for HAQM S3 and HAQM CloudFront’s default certificates are changing from DigiCert to HAQM Trust Services. This change does not impact workloads that use HTTP only or use a custom TLS certificate. For S3, many regions already use HAQM Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS Regions to HAQM Trust Services as well. For CloudFront, all edge location endpoints will be migrating to HAQM Trust Services.

Q: When are these changes occurring?

A: The changes in Certificate Authority will begin rolling out on March 23, 2021.

Q: What do I need to do?

A: Check your client certificate trust store to see if it already trusts HAQM Trust Services’ root certificates. If it does no further action is needed. If it does not trust HAQM Trust Services, perform one of the following actions. Resolution option 1, update your client certificate trust store to include all of HAQM Trust Services’ root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an TLS certificate from an already trusted Certificate Authority.

Q: How do I test if my application trust HAQM Trust Services?

You can verify your application trusts HAQM Trust Services by performing one of the following tests from within your application.

Test option 1, fetch the object http://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.

Test option 2, create an S3 bucket in your AWS account in any of the following regions (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1) and fetch a test object over HTTPS.

Q: What root certificates are part of HAQM Trust Services?

A: Refer to the HAQM Trust Services Repository page.

Q: What happens after March 23, 2021 if my clients do not trust HAQM Trust Services’ Certificate Authorities?

A: All client HTTPS requests made to a default HAQM S3 or HAQM CloudFront endpoint will receive the services’ default certificate issued from HAQM Trust Services. If the client trust store does not trust the Certificate Authority, it will report the TLS certificate as “untrusted” and may close the connection.