Current Documents

Certificate Policy

Amazon Trust Services Certificate Policy v1.0.13

Certification Practice Statement

Amazon Trust Services Certification Practice Statement v1.0.14

Subscriber Agreement

Amazon Trust Services Certificate Subscriber Agreement v1.3

Relying Party Agreement

Amazon Trust Services Relying Party Agreement v1.1

Certification Authorities

The following certificate authorities are operated according to the practices described in the above CPS.
Distinguished Names are represented using the algorithm recommended in RFC 4514.

Root CAs

Distinguished NameSHA-256 Hash of Subject Public Key InformationSelf-Signed CertificateTest URLs
CN=Amazon Root CA 1,O=Amazon,C=USfbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2DER PEMValid Revoked Expired
CN=Amazon Root CA 2,O=Amazon,C=US7f4296fc5b6a4e3b35d3c369623e364ab1af381d8fa7121533c9d6c633ea2461DER PEMValid Revoked Expired
CN=Amazon Root CA 3,O=Amazon,C=US36abc32656acfc645c61b71613c4bf21c787f5cabbee48348d58597803d7abc9DER PEMValid Revoked Expired
CN=Amazon Root CA 4,O=Amazon,C=USf7ecded5c66047d28ed6466b543c40e0743abe81d109254dcf845d4c2c7853c5DER PEMValid Revoked Expired
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92DER PEMValid Revoked Expired

Trust Store and Pinning Recommendations

For relying parties that make use of custom trust stores we recommend that all five of the above roots be included in the trust store. "Amazon Root CA 1 - 4" represent different key types/algorithms. "Starfield Services Root Certificate Authority - G2" is an older root that is compatible with other older trust stores and clients that can not be updated. Including all five of the roots ensure maximum compatibility for your application.

Amazon Trust Services doesn't recommend or support pinning. If you require pinning then we recommend that you pin to the public key of the root. Applications that pin to subordinate CAs or end-entity certificates that chain to ATS roots are at a higher risk for outages. We do not recommend pinning to the attributes of a certificate associated with a root. All CAs can have multiple certificates associated with their keys. Because trust is based on keys and not certificate attributes, pinning to certificate attributes may result in unexpected behavior. If you have technical constraints that require pinning to certificate attributes we have provided that information below.

Root CA Certificate Information

This is provided for informational purposes. We do not recommend pinning to attributes in the certificates. Amazon Root CAs have multiple certificates for each root key pair. One set is self-signed, the other set is cross-signed with the older "Starfield Services Root Certificate Authority - G2" root. Additionally, we also have a cross-signed version of the certificate for "Starfield Services Root Certificate Authority - G2". It is cross-signed with an even older root managed by a different certificate authority.

Distinguished NameTypeCertificate Hash (SHA-256)Certificate
CN=Amazon Root CA 1,O=Amazon,C=USSelf-signed8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196eDER PEM
Cross-signed87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706DER PEM
CN=Amazon Root CA 2,O=Amazon,C=USSelf-signed1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4DER PEM
Cross-signed8b358466d66126312120645a5875a6a57e3c81d98476a967604244254eac00f0DER PEM
CN=Amazon Root CA 3,O=Amazon,C=USSelf-signed18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4DER PEM
Cross-signed40c826fdb22ba32a2f9db4f94770f72b8b1da9c8ffda7b11e6f27af245c89b5eDER PEM
CN=Amazon Root CA 4,O=Amazon,C=USSelf-signede35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092DER PEM
Cross-signed543d9b7fc2a6471cd84fca52c2cf6159df83ebfcd88d8b08b5af3f88737f52e6DER PEM
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=USSelf-signed568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5DER PEM
Cross-signed28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996DER PEM
The certificate files above are licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.

WebTrust for Certification Authorities Audits

Cross Certificates

The following certificates have a CA listed above as the subject.

CertificateCertificate Hash (SHA-256)
DER PEM 1e3e5f714569b45d73657b242f07b236c26c3a9db5c1e36acb5e0e8f77966c3c
DER PEM 205154b777edc55a5146585a5e54e054a70be4aad3b85d02318da27bf807adf1
DER PEM 2847b37ef0ff545e744a45b90119cd6c7938f6f709ea3b93499aa6e57552ab3b
DER PEM 28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996
DER PEM 2d12b619a660cefb013271831d891213fc434e982a21568256cf4e2e86324bea
DER PEM 391220705b75bcf3ed3cd4b3631213f569d2cf8226101e170799a5354ab12861
DER PEM 39c763a9cf19d923f977d23626ab890449a444ab8b795c815ef1ef81febc1e38
DER PEM 40c826fdb22ba32a2f9db4f94770f72b8b1da9c8ffda7b11e6f27af245c89b5e
DER PEM 40cd66a295294fd0fbdc869b10e8b98f1a454a98420c84dc26885d5565b7deb1
DER PEM 4e37f74b30dd054c90cb61e3e95f6266a1f5d528d876b4c0797d4ff864598008
DER PEM 543d9b7fc2a6471cd84fca52c2cf6159df83ebfcd88d8b08b5af3f88737f52e6
DER PEM 72130e3b28900349214617f4d6f3fb85d08475ee78bf095c59458a14d1828866
DER PEM 7bed29276acbed9f176f38bba3a67ce5815b5cbf1522c7bb59ecd86b09e16ed2
DER PEM 80dd9e3497f354e30b8acf39d046dd4f5a618f7889236eb34f78d54d15cd6a50
DER PEM 87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706
DER PEM 8b358466d66126312120645a5875a6a57e3c81d98476a967604244254eac00f0
DER PEM b2d98c992cf7ed639190854b7d66a26dbc22b0b8d8a87dfc7d19e25f5d6c9953
DER PEM b3feee99d4d595fa837828e14dec2c4d91e8669f92413d007a94db0059fd0dac
DER PEM dfcc775c644db4a33ad71293433f463c8e31057ce22cb267f9d31a0353f4fc2f
DER PEM e39d3ed886e5a3af26b9d6ab608028bc6fbc52e599cb323da7e9e775b530337c
DER PEM eb159c922a3fc2191475ca20a53816d87a38a1a79a7264789193d2f1f750e85e

Externally Operated Subordinate CAs

The following certificates have a CA listed above as the issuer.

CertificateCertificate Hash (SHA-256)Additional Information
DER PEM 4a1ff6bbf481170d3b773cec1f3a84de3b5096575cdbf8b08432209318ca0fbd Constraints: Path length: 0, Policy: 2.23.140.1.2.1
Operator: DigiCert, Inc.
CP, CPS, and Audit statements
Test Website
DER PEM f55f9ffcb83c73453261601c7e044db15a0f034b93c05830f28635ef889cf670
DER PEM 5338ebec8fb2ac60996126d3e76aa34fd0f3318ac78ebb7ac8f6f1361f484b33
DER PEM b0f330a31a0c50987e1c3a7bb02c2dda682991d3165b517bd44fba4a6020bd94
DER PEM bf8a69027bcc8d2d42a6e6d25bdd4873f6a34b8f90edf07e86c5d6916da0b933
DER PEM 138bdf6e23ac971eb4e626b279dd6a26f057510f1de394293a5eea2860de019b
DER PEM 40fe28dc925d1a8a6b8f861863eb57cd30c6776416ab8a99920bac7c925a4174
DER PEM 2cc39f6789b967b0282aeaca4548f602a1b274e90d260773e9e7b0f7c0f13432
DER PEM 41bdc074eb9531ec81fef08d9ffa16536f61fc59789265e95e89a4982aef3f91
DER PEM 3b6fab0ab11c14eef9031969e0adb037c8fcc3366728a6567623d3c26b3632cb
DER PEM 332b101539fa89ca4e228719fe5287ab6869af31ab21cbf110f5dd3c5994c1c7
DER PEM f9693255933b68159d168aa9a247da1dc66e23c0620338ef7149e48f83b1ae79
DER PEM 493e78eee8cca1f26e6494ed924985af3fa9e6110eaa61c3214e8d73b4047316
DER PEM d241192cce57d438986723972dd6f18b5a3a3456a708e8f273d147223ab6fa5d
DER PEM dfe35c740cf41c0b053e2202ea5afc2f021f70bf90b26bc861fe1d9a0bfc4f1e
DER PEM a7d15e62c78825919fb59bde58efcfb0225b4107dfc60026885420185dc69b63
DER PEM f40da455be136e0db31a116ffd3c3002b1ebbc591558493fe630a9c8c9afad70
DER PEM 47fd11ad552ab264d7f272770d3b5590aae145412f4ad6081bdc485298d8e000

CertificateSHA-256 Hash of Subject Public Key InformationAdditional Information
DER PEM b394913e6850ffd338a414c91496cd7dfe437ba2ae66966beabd7f6648146db1 Constraints: Path length: 0, Policy: 2.5.29.32.0
Operator: DigiCert, Inc.
CP, CPS, and Audit statements
Test Website

Requests and Problem Reporting

Certificate Management

For help with using your Amazon Trust Services certificate or using AWS Certificate Manager please see: https://docs.aws.amazon.com/acm/latest/userguide/gs.html

Problem Reporting

Subscribers, Relying Parties, Application Software Suppliers, and other third parties may email ats-cert-report[at]amazon.com to report suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, and inappropriate conduct. Proof of key compromise should be submitted in either of the following formats: a CSR signed by the compromised private key with the Common Name "Proof of Key Compromise for Amazon"; or the private key itself.

Revocation Requests

Subscribers may request revocation of their own certificates by emailing ats-cert-report[at]amazon.com. All reports need to include sufficient detail to identify the specific certificates to be revoked. Requests must include a reason code as specified in the Subscriber Agreement.

General Questions

Subscribers, Relying Parties, Application Software Suppliers, and other third parties may email ats-general-questions[at]amazon.com with non-urgent questions about Amazon Trust Services. This email should not be used for revocation requests or other problem reporting related to certificates

Requester Authorization

Applicants may limit individuals who may request certificates on their behalf and may request a list of their currently authorized certificate requesters. Requests to limit or list requesters should be addressed to validation-questions[at]amazon.com.

Archives

DocumentEffectiveSuperseded DateSuccessor Version
Amazon Trust Services Relying Party Agreement v1.0October 28, 2015September 9, 2016v1.1
Amazon Trust Services Certificate Subscriber Agreement v1.2September 9, 2016September 21, 2022v1.3
Amazon Trust Services Certificate Subscriber Agreement v1.1November 2, 2015September 9, 2016v1.2
Amazon Web Services Certificate Subscriber Agreement v1.0May 26, 2015November 2, 2015v1.1
Amazon Trust Services Certificate Policy v1.0.12August 29, 2022July 28, 2023v1.0.13
Amazon Trust Services Certificate Policy v1.0.11August 18, 2021August 29, 2022v1.0.12
Amazon Trust Services Certificate Policy v1.0.10July 23, 2021August 18, 2021v1.0.11
Amazon Trust Services Certificate Policy v1.0.9April 23, 2021July 23, 2021v1.0.10
Amazon Trust Services Certificate Policy v1.0.8March 30, 2020April 23, 2021v1.0.9
Amazon Trust Services Certificate Policy v1.0.7December 18, 2019March 30, 2020v1.0.8
Amazon Trust Services Certificate Policy v1.0.6April 13, 2018December 18, 2019v1.0.7
Amazon Trust Services Certificate Policy v1.0.5January 15, 2018April 13, 2018v1.0.6
Amazon Trust Services Certificate Policy v1.0.4January 12, 2017January 15, 2018v1.0.5
Amazon Trust Services Certificate Policy v1.0.3December 16, 2015January 12, 2017v1.0.4
Amazon Trust Services Certificate Policy v1.0.2October 21, 2015December 16, 2015v1.0.3
Amazon Web Services Certificate Policy v1.0.1May 26, 2015October 21, 2015v1.0.2
Amazon Trust Services Certification Practice Statement v1.0.13August 29, 2022July 28, 2023v1.0.14
Amazon Trust Services Certification Practice Statement v1.0.12August 18, 2021August 29, 2022v1.0.13
Amazon Trust Services Certification Practice Statement v1.0.11July 23, 2021August 18, 2021v1.0.12
Amazon Trust Services Certification Practice Statement v1.0.10April 23, 2021July 23, 2021v1.0.11
Amazon Trust Services Certification Practice Statement v1.0.9March 30, 2020April 23, 2021v1.0.10
Amazon Trust Services Certification Practice Statement v1.0.8December 17, 2019March 30, 2020v1.0.9
Amazon Trust Services Certification Practice Statement v1.0.7April 13, 2018December 17, 2019v1.0.8
Amazon Trust Services Certification Practice Statement v1.0.6January 15, 2018April 13, 2018v1.0.7
Amazon Trust Services Certification Practice Statement v1.0.5January 12, 2017January 15, 2018v1.0.6
Amazon Trust Services Certification Practice Statement v1.0.4December 16, 2015January 12, 2017v1.0.5
Amazon Trust Services Certification Practice Statement v1.0.3October 21, 2015December 16, 2015v1.0.4
Amazon Web Services Certification Practice Statement v1.0.2June 10, 2015October 21, 2015v1.0.3
Amazon Web Services Certification Practice Statement v1.0.1May 26, 2015June 10, 2015v1.0.2

Audits
WebTrust Principles and Criteria for Certification Authorities - Version 2.2.1
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.5
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.7.3
WebTrust Principles and Criteria for Certification Authorities - Code Signing - Version 2.0
WebTrust Principles and Criteria for Certification Authorities - Version 2.2
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.4.1
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.6.8
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing - Version 1.4.1
WebTrust Principles and Criteria for Certification Authorities - Code Signing - Version 1.0.1
WebTrust Principles and Criteria for Certification Authorities - Version 2.1
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.3
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.6.2
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing - Version 1.4.1
WebTrust Principles and Criteria for Certification Authorities - Version 2.1
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.2
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.6.2
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing - Version 1.4.1
Trust Service Principles and Criteria for Certification Authorities Version 2.0
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing
Trust Service Principles and Criteria for Certification Authorities Version 2.0
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing
Trust Service Principles and Criteria for Certification Authorities Version 2.0
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5