AWS S3 - root certificate changing
Posted: Sat Mar 21, 2020 11:42 am
I received an email from AWS saying that the root certificate for some S3 regions was going to change from March 2021.
s3_root_ca_pem has the following info (and I think Baltimore CyberTrust was taken over by Digicert for whom the old certificates will not work, so looks like it will be affected):
Code to fetch OTA update from AWS:Frequently Asked Questions
Q1: What is changing?
The certificate authority for Amazon S3 and Amazon CloudFront’s default certificates are changing from DigiCert to Amazon Trust Services. For S3, many regions already use Amazon Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS regions to Amazon Trust Services as well. For CloudFront, all edge locations will be migrating to Amazon Trust Services.
This does change does not impact workloads that use HTTP only or use a custom SSL/TLS certificate.
Q2: When are these changes occurring?
The changes in Certificate Authority will begin rolling out on March 1, 2021.
Q3: What do I need to do?
Evaluate whether your applications trust Amazon Trust Services’ root certificates. If your application does not trust Amazon Trust Services, perform one of the following two actions. Resolution option 1, update your client certificate trust store to include all of Amazon Trust Services’ root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an SSL/TLS certificate from an already trusted Certificate Authority.
Q4: How do I test if my application trust Amazon Trust Services?
Verify your application works with Amazon Trust Services issued certificates, by performing one of the following tests from within your application. Test option 1, fetch the object https://s3-ats-migration-test.s3.eu-wes ... m/test.jpg and verify a 200 response or that you see the green check mark in the test image. Test option 2, create an S3 bucket in your AWS account in any of the following regions (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1) and fetch a test object.
Q5: What root certificates are part of Amazon Trust Services?
Refer to https://www.amazontrust.com/repository/ for the current list.
Q6: What happens after March 1, 2021 if my clients do not trust Amazon Trust Services’ Certificate Authorities?
All client requests made to a default Amazon S3 or Amazon CloudFront endpoint will receive a default certificate issued from Amazon Trust Services. If the client trust store does not trust the Certificate Authority, it may close the connection and report the SSL certificate as “untrusted.”
Code: Select all
esp_http_client_config_t config = {
.url = ota_url,
.cert_pem = (char *)s3_root_ca_pem,
.event_handler = _http_event_handler,
.buffer_size = 4096,
};
esp_err_t ret = esp_https_ota(&config);
I also have stored an AWS certificate that might work:$ openssl x509 -in s3-root-ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 33554617 (0x20000b9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Validity
Not Before: May 12 18:46:00 2000 GMT
Not After : May 12 23:59:00 2025 GMT
Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
What is the best way to handle this transition in esp-idf? Do I change the certificate used now, or concatenate them both somehow so that the OTA update will use either?$ openssl x509 -in aws-root-ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Amazon, CN=Amazon Root CA 1
Validity
Not Before: May 26 00:00:00 2015 GMT
Not After : Jan 17 00:00:00 2038 GMT
Subject: C=US, O=Amazon, CN=Amazon Root CA 1