Current documents
- Certificate Policy / Certification Practice Statement
- Amazon Trust Services Certificate Policy / Certification Practice Statement v2.2
- Subscriber Agreement
- Amazon Trust Services Certificate Subscriber Agreement v1.3
- Relying Party Agreement
- Amazon Trust Services Relying Party Agreement v1.1
Certification authorities
Trust store and pinning recommendations
If you require pinning then we recommend that you pin to the public key of the root. Applications that pin to subordinate CAs or end-entity certificates that chain to ATS roots are at a higher risk for outages. We do not recommend pinning to the attributes of a certificate associated with a root. All CAs can have multiple certificates associated with their keys. Because trust is based on keys and not certificate attributes, pinning to certificate attributes may result in unexpected behavior. If you have technical constraints that require pinning to certificate attributes we have provided that information below.
For relying parties that make use of custom trust stores we recommend that all five of the above roots be included in the trust store. "Amazon Root CA 1 - 4" represent different key types/algorithms. "Starfield Services Root Certificate Authority - G2" is an older root that is compatible with other older trust stores and clients that can not be updated. Including all five of the roots ensure maximum compatibility for your application.
Root certificates with the "EU" designation in the CN will be used for certificate issuance in the AWS European Sovereign Cloud region only. These roots are pending inclusion in public root store programs. End-entity certificates issued from the AWS European Sovereign Cloud region will be trusted in public root store programs that follow the cross-signed certificates issued from our existing "Amazon Root CA 1, 3, and 4" roots.
Root CAs
The following certificate authorities are operated according to the practices described in the above CPS.
Distinguished names are represented using the algorithm recommended in RFC 4514.
Distinguished name | SHA-256 hash of subject public key information | Self-signed certificate | Test URLs |
|---|---|---|---|
CN=Amazon Root CA 1,O=Amazon,C=US | fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2 | ||
CN=Amazon Root CA 2,O=Amazon,C=US | 7f4296fc5b6a4e3b35d3c369623e364ab1af381d8fa7121533c9d6c633ea2461 | ||
CN=Amazon Root CA 3,O=Amazon,C=US | 36abc32656acfc645c61b71613c4bf21c787f5cabbee48348d58597803d7abc9 | ||
CN=Amazon Root CA 4,O=Amazon,C=US | f7ecded5c66047d28ed6466b543c40e0743abe81d109254dcf845d4c2c7853c5 | ||
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies, Inc.,C=US,S=Arizona,L=Scottsdale | 2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92 | ||
* CN=Amazon RSA 2048 Root EU M1,O=Amazon,C=DE | 8d935558e6a3c896330148ffdf6a1ac0a5bfba1ab44545135a3b376c9a1a308d | ||
* CN=Amazon ECDSA 256 Root EU M1,O=Amazon,C=DE | 9565907725464be0bff44b1232f85ee862a9a0d99db971ba20344aaf41431d58 | ||
* CN=Amazon ECDSA 384 Root EU M1,O=Amazon,C=DE | 798fe10957e8c5a0874201caf09d5ef4b2e2412c47bf991949566cb542d3af3f |
Root CA certificate information
Amazon Root CAs have multiple certificates for each root key pair.
For the "Amazon Root CAs [1-4]", one set of certificates is self-signed, the other set is cross-signed with the older "Starfield Services Root Certificate Authority - G2" root.
Additionally, we also have a cross-signed version of the certificate for "Starfield Services Root Certificate Authority - G2". It is cross-signed with an even older root managed by a different certificate authority.
One set of the EU root CAs is self-signed and the others are cross-signed by "Amazon Root CA [1,3,4]", respectively. Cross-signed versions of our EU roots will be distributed in the AWS European Sovereign Cloud region only. These cross-signs establish a trusted path to our existing roots that are already included in major root store programs.
Distinguished name | Type | SHA-256 hash | Certificate |
|---|---|---|---|
CN=Amazon Root CA 1,O=Amazon,C=US | Self-signed | 8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e | |
CN=Amazon Root CA 1,O=Amazon,C=US | Cross-signed | 87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706 | |
CN=Amazon Root CA 2,O=Amazon,C=US | Self-signed | 1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4 | |
CN=Amazon Root CA 2,O=Amazon,C=US | Cross-signed | 8b358466d66126312120645a5875a6a57e3c81d98476a967604244254eac00f0 | |
CN=Amazon Root CA 3,O=Amazon,C=US | Self-signed | 18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4 | |
CN=Amazon Root CA 3,O=Amazon,C=US | Cross-signed | 40c826fdb22ba32a2f9db4f94770f72b8b1da9c8ffda7b11e6f27af245c89b5e | |
CN=Amazon Root CA 4,O=Amazon,C=US | Self-signed | e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092 | |
CN=Amazon Root CA 4,O=Amazon,C=US | Cross-signed | 543d9b7fc2a6471cd84fca52c2cf6159df83ebfcd88d8b08b5af3f88737f52e6 | |
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies, Inc.,C=US,S=Arizona,L=Scottsdale | Self-signed | 568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5 | |
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies, Inc.,C=US,S=Arizona,L=Scottsdale | Cross-signed | 28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996 | |
CN=Amazon RSA 2048 Root EU M1,O=Amazon,C=DE | * Self-signed | eaffac50c7e3e15a68f779a5e70ec2f5e9fc4a03ff69ab337b4d6c4510432395 | |
CN=Amazon RSA 2048 Root EU M1,O=Amazon,C=DE | Cross-signed | bddb011e995a62b9f58507944e04f8a624888ef4c0c41c79cab032168c86b83b | |
CN=Amazon ECDSA 256 Root EU M1,O=Amazon,C=DE | * Self-signed | 9ead32c9285fe68ba2c5b0fe427d149b103fdfa1d0958d77c3da0ff246e853d3 | |
CN=Amazon ECDSA 256 Root EU M1,O=Amazon,C=DE | Cross-signed | f35a8a529ee51c24078d36a00b918c5080aedca0611e5be55831b4cb66f2c2f5 | |
CN=Amazon ECDSA 384 Root EU M1,O=Amazon,C=DE | * Self-signed | 8e136ce0e77c848f2d2910abd4e3a764358bb1b7a4932202bc9b915732462d85 | |
CN=Amazon ECDSA 384 Root EU M1,O=Amazon,C=DE | Cross-signed | c5df074e1c3a2eaec742930beda6c1a429db293f96a8f1db3b1436d772b7c483 |
The certificate files above are licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License .
WebTrust for Certification Authorities audits
- WebTrust for Certification Authorities (CA)
- WebTrust Principles and Criteria for Certification Authorities - Version 2.2.2Â
- WebTrust for Baseline Requirements
- WebTrust Principles and Criteria for Certification Authorities - SSL Baseline - Version 2.8Â
- WebTrust for Extended Validation
- WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.8Â
- WebTrust for Code Signing Baseline Requirements
- WebTrust Principles and Criteria for Certification Authorities - Code Signing Baseline Requirements - Version 3.7Â
- WebTrust for Network Security
- WebTrust Principles and Criteria for Certification Authorities - Network Security - Version 1.7Â
Requests and problem reporting
Certificate management
For help with using your Amazon Trust Services certificate or using AWS Certificate Manager please see: https://docs.aws.amazon.com/acm/latest/userguide/gs.html .
Problem reporting
Subscribers, relying parties, application software suppliers, and other third parties may email ats-certificate-report[at]amazon.com to report suspected private key compromise, certificate misuse, or other types of fraud, compromise, misuse, and inappropriate conduct. Proof of key compromise should be submitted in either of the following formats: a CSR signed by the compromised private key with the common name "Proof of Key Compromise for Amazon"; or the private key itself.
Revocation requests
Subscribers may request revocation of their own certificates by emailing ats-certificate-report[at]amazon.com. All reports need to include sufficient detail to identify the specific certificates to be revoked. Requests must include a reason code as specified in the Subscriber Agreement.
General questions
Subscribers, relying parties, application software suppliers, and other third parties may email ats-general-questions[at]amazon.com with non-urgent questions about Amazon Trust Services. This email should not be used for revocation requests or other problem reporting related to certificates.
Requester authorization
Applicants may limit individuals who may request certificates on their behalf and may request a list of their currently authorized certificate requesters. Requests to limit or list requesters should be addressed to validation-questions[at]amazon.com.
Cross-signed and externally operated subordinate CAs certificates
View the list of cross-signed and externally operated subordinate CAs certificates.
Archives
Document | Effective | Superseded date | Successor version |
|---|---|---|---|
October 28, 2015 | September 9, 2016 | v1.1 | |
September 9, 2016 | September 21, 2022 | v1.3 | |
November 2, 2015 | September 9, 2016 | v1.2 | |
May 26, 2015 | November 2, 2015 | v1.1 | |
October 20, 2025 | November 27, 2025 | v2.2 | |
July 23, 2025 | October 20, 2025 | v2.1 | |
July 24, 2024 | July 23, 2025 | v2.0 | |
July 28, 2023 | July 24, 2024 | v1.0.14 | |
August 29, 2022 | July 28, 2023 | v1.0.13 | |
August 18, 2021 | August 29, 2022 | v1.0.12 | |
July 23, 2021 | August 18, 2021 | v1.0.11 | |
April 23, 2021 | July 23, 2021 | v1.0.10 | |
March 30, 2020 | April 23, 2021 | v1.0.9 | |
December 18, 2019 | March 30, 2020 | v1.0.8 | |
April 13, 2018 | December 18, 2019 | v1.0.7 | |
January 15, 2018 | April 13, 2018 | v1.0.6 | |
January 12, 2017 | January 15, 2018 | v1.0.5 | |
December 16, 2015 | January 12, 2017 | v1.0.4 | |
October 21, 2015 | December 16, 2015 | v1.0.3 | |
May 26, 2015 | October 21, 2015 | v1.0.2 | |
July 24, 2024 | July 23, 2025 | v2.0 | |
July 28, 2023 | July 24, 2024 | v1.0.15 | |
August 29, 2022 | July 28, 2023 | v1.0.14 | |
August 18, 2021 | August 29, 2022 | v1.0.13 | |
July 23, 2021 | August 18, 2021 | v1.0.12 | |
April 23, 2021 | July 23, 2021 | v1.0.11 | |
March 30, 2020 | April 23, 2021 | v1.0.10 | |
December 17, 2019 | March 30, 2020 | v1.0.9 | |
April 13, 2018 | December 17, 2019 | v1.0.8 | |
January 15, 2018 | April 13, 2018 | v1.0.7 | |
January 12, 2017 | January 15, 2018 | v1.0.6 | |
December 16, 2015 | January 12, 2017 | v1.0.5 | |
October 21, 2015 | December 16, 2015 | v1.0.4 | |
June 10, 2015 | October 21, 2015 | v1.0.3 | |
May 26, 2015 | June 10, 2015 | v1.0.2 |
Audit | Start date | End date |
|---|---|---|
January 16, 2023 | January 15, 2024 | |
January 16, 2023 | January 15, 2024 | |
January 16, 2023 | January 15, 2024 | |
January 16, 2023 | January 15, 2024 | |
January 16, 2023 | January 15, 2024 | |
January 16, 2023 | January 15, 2024 | |
January 16, 2022 | January 15, 2023 | |
January 16, 2022 | January 15, 2023 | |
January 16, 2022 | January 15, 2023 | |
January 16, 2022 | January 15, 2023 | |
January 16, 2021 | January 15, 2022 | |
January 16, 2021 | January 15, 2022 | |
January 16, 2021 | January 15, 2022 | |
January 16, 2021 | January 15, 2022 | |
January 16, 2020 | January 15, 2021 | |
January 16, 2020 | January 15, 2021 | |
January 16, 2020 | January 15, 2021 | |
January 16, 2020 | January 15, 2021 | |
January 16, 2020 | January 15, 2021 | |
January 16, 2019 | January 15, 2020 | |
January 16, 2019 | January 15, 2020 | |
January 16, 2019 | January 15, 2020 | |
January 16, 2019 | January 15, 2020 | |
January 16, 2018 | January 15, 2019 | |
January 16, 2018 | January 15, 2019 | |
January 16, 2018 | January 15, 2019 | |
January 16, 2018 | January 15, 2019 | |
January 16, 2017 | January 15, 2018 | |
January 16, 2017 | January 15, 2018 | |
January 16, 2017 | January 15, 2018 | |
January 16, 2017 | January 15, 2018 | |
January 16, 2016 | January 15, 2017 | |
January 16, 2016 | January 15, 2017 | |
January 16, 2016 | January 15, 2017 | |
January 16, 2016 | January 15, 2017 | |
January 16, 2015 | January 15, 2016 | |
January 16, 2015 | January 15, 2016 | |
January 16, 2015 | January 15, 2016 |
Starfield Services Root Certificate Authority - G2
View the certificate policy and certification practice statements under which the Starfield Services Root Certificate Authority - G2 were operated prior to Amazon Trust Services acquisition.