Migration of AWS SSL/TLS certificates to their own Certificate Authority, Amazon Trust Services

The AWS changes in Certificate Authority will begin rolling out on March 1, 2021.

Is Let’sEcrypt included in that migration?
I wonder if my Let’sEcrypt certs run on AWS Lightsail after March 1, 2021.
Perhaps this is a question for AWS


Can you elaborate more on this point?

I got this email today. Pasted below.

And no, it doesn’t affect your use of Let’s Encrypt at all.


In 2018, AWS announced a broad migration of AWS services’ SSL/TLS certificates to our own Certificate Authority, Amazon Trust Services. Consistent with this change, and beginning March 2021, Amazon S3 and Amazon CloudFront will begin migrating the Certificate Authority for each services’ default certificate. Using our own Certificate Authority, AWS services can better manage the security practices used to handle our default certificates.

Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts Amazon Trust Services as many AWS services have already migrated. Visit https://www.amazontrust.com/repository/ for more information about Amazon Trust Services.

To prepare for this migration, visit the announcement blog or review the FAQs below:

If you have additional questions, or require additional assistance, please open a case in the AWS Support Center: https://aws.amazon.com/support

Please also monitor each services’ AWS Forums page for future updates as the migration date approaches:
Amazon S3 Forum https://forums.aws.amazon.com/forum.jspa?forumID=24
Amazon CloudFront Forum https://forums.aws.amazon.com/forum.jspa?forumID=46

Frequently Asked Questions
Q1: What is changing?
The certificate authority for Amazon S3 and Amazon CloudFront’s default certificates are changing from DigiCert to Amazon Trust Services. For S3, many regions already use Amazon Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS regions to Amazon Trust Services as well. For CloudFront, all edge locations will be migrating to Amazon Trust Services.

This does change does not impact workloads that use HTTP only or use a custom SSL/TLS certificate.

Q2: When are these changes occurring?
The changes in Certificate Authority will begin rolling out on March 1, 2021.

Q3: What do I need to do?
Evaluate whether your applications trust Amazon Trust Services’ root certificates. If your application does not trust Amazon Trust Services, perform one of the following two actions. Resolution option 1, update your client certificate trust store to include all of Amazon Trust Services’ root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an SSL/TLS certificate from an already trusted Certificate Authority.

Q4: How do I test if my application trust Amazon Trust Services?
Verify your application works with Amazon Trust Services issued certificates, by performing one of the following tests from within your application. Test option 1, fetch the object https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image. Test option 2, create an S3 bucket in your AWS account in any of the following regions (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1) and fetch a test object.

Q5: What root certificates are part of Amazon Trust Services?
Refer to https://www.amazontrust.com/repository/ for the current list.

Q6: What happens after March 1, 2021 if my clients do not trust Amazon Trust Services’ Certificate Authorities?
All client requests made to a default Amazon S3 or Amazon CloudFront endpoint will receive a default certificate issued from Amazon Trust Services. If the client trust store does not trust the Certificate Authority, it may close the connection and report the SSL certificate as “untrusted.”

Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.