Current Documents
Certificate Policy
Amazon Trust Services Certificate Policy v1.0.14Certification Practice Statement
Amazon Trust Services Certification Practice Statement v.1.0.15Subscriber Agreement
Amazon Trust Services Certificate Subscriber Agreement v1.3Relying Party Agreement
Amazon Trust Services Relying Party Agreement v1.1Certification Authorities
The following certificate authorities are operated according to the practices described in the above CPS.
Distinguished Names are represented using the algorithm recommended in RFC 4514.
Root CAs
Distinguished Name | SHA-256 Hash of Subject Public Key Information | Self-Signed Certificate | Test URLs |
---|---|---|---|
CN=Amazon Root CA 1,O=Amazon,C=US | fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2 | DER PEM | Valid Revoked Expired |
CN=Amazon Root CA 2,O=Amazon,C=US | 7f4296fc5b6a4e3b35d3c369623e364ab1af381d8fa7121533c9d6c633ea2461 | DER PEM | Valid Revoked Expired |
CN=Amazon Root CA 3,O=Amazon,C=US | 36abc32656acfc645c61b71613c4bf21c787f5cabbee48348d58597803d7abc9 | DER PEM | Valid Revoked Expired |
CN=Amazon Root CA 4,O=Amazon,C=US | f7ecded5c66047d28ed6466b543c40e0743abe81d109254dcf845d4c2c7853c5 | DER PEM | Valid Revoked Expired |
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US | 2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92 | DER PEM | Valid Revoked Expired |
Trust Store and Pinning Recommendations
For relying parties that make use of custom trust stores we recommend that all five of the above roots be included in the trust store. "Amazon Root CA 1 - 4" represent different key types/algorithms. "Starfield Services Root Certificate Authority - G2" is an older root that is compatible with other older trust stores and clients that can not be updated. Including all five of the roots ensure maximum compatibility for your application.
Amazon Trust Services doesn't recommend or support pinning. If you require pinning then we recommend that you pin to the public key of the root. Applications that pin to subordinate CAs or end-entity certificates that chain to ATS roots are at a higher risk for outages. We do not recommend pinning to the attributes of a certificate associated with a root. All CAs can have multiple certificates associated with their keys. Because trust is based on keys and not certificate attributes, pinning to certificate attributes may result in unexpected behavior. If you have technical constraints that require pinning to certificate attributes we have provided that information below.
Root CA Certificate Information
This is provided for informational purposes. We do not recommend pinning to attributes in the certificates. Amazon Root CAs have multiple certificates for each root key pair. One set is self-signed, the other set is cross-signed with the older "Starfield Services Root Certificate Authority - G2" root. Additionally, we also have a cross-signed version of the certificate for "Starfield Services Root Certificate Authority - G2". It is cross-signed with an even older root managed by a different certificate authority.
Distinguished Name | Type | Certificate Hash (SHA-256) | Certificate |
---|---|---|---|
CN=Amazon Root CA 1,O=Amazon,C=US | Self-signed | 8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e | DER PEM |
Cross-signed | 87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706 | DER PEM | |
CN=Amazon Root CA 2,O=Amazon,C=US | Self-signed | 1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4 | DER PEM |
Cross-signed | 8b358466d66126312120645a5875a6a57e3c81d98476a967604244254eac00f0 | DER PEM | |
CN=Amazon Root CA 3,O=Amazon,C=US | Self-signed | 18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4 | DER PEM |
Cross-signed | 40c826fdb22ba32a2f9db4f94770f72b8b1da9c8ffda7b11e6f27af245c89b5e | DER PEM | |
CN=Amazon Root CA 4,O=Amazon,C=US | Self-signed | e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092 | DER PEM |
Cross-signed | 543d9b7fc2a6471cd84fca52c2cf6159df83ebfcd88d8b08b5af3f88737f52e6 | DER PEM | |
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US | Self-signed | 568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5 | DER PEM |
Cross-signed | 28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996 | DER PEM |
WebTrust for Certification Authorities Audits
- WebTrust Principles and Criteria for Certification Authorities - Version 2.2.2
- WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.6
- WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.7.8
- WebTrust Principles and Criteria for Certification Authorities - Code Signing Baseline Requirements - Version 2.7
- WebTrust Principles and Criteria for Certification Authorities - Network Security - Version 1.0
- WebTrust Principles and Criteria for Certification Authorities - S/MIME Certificates - Version 1.0.1
Cross Certificates
The following certificates have a CA listed above as the subject.
Certificate | Certificate Hash (SHA-256) |
---|---|
DER PEM | 1e3e5f714569b45d73657b242f07b236c26c3a9db5c1e36acb5e0e8f77966c3c |
DER PEM | 205154b777edc55a5146585a5e54e054a70be4aad3b85d02318da27bf807adf1 |
DER PEM | 2847b37ef0ff545e744a45b90119cd6c7938f6f709ea3b93499aa6e57552ab3b |
DER PEM | 28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996 |
DER PEM | 2d12b619a660cefb013271831d891213fc434e982a21568256cf4e2e86324bea |
DER PEM | 391220705b75bcf3ed3cd4b3631213f569d2cf8226101e170799a5354ab12861 |
DER PEM | 39c763a9cf19d923f977d23626ab890449a444ab8b795c815ef1ef81febc1e38 |
DER PEM | 40c826fdb22ba32a2f9db4f94770f72b8b1da9c8ffda7b11e6f27af245c89b5e |
DER PEM | 40cd66a295294fd0fbdc869b10e8b98f1a454a98420c84dc26885d5565b7deb1 |
DER PEM | 4e37f74b30dd054c90cb61e3e95f6266a1f5d528d876b4c0797d4ff864598008 |
DER PEM | 543d9b7fc2a6471cd84fca52c2cf6159df83ebfcd88d8b08b5af3f88737f52e6 |
DER PEM | 72130e3b28900349214617f4d6f3fb85d08475ee78bf095c59458a14d1828866 |
DER PEM | 7bed29276acbed9f176f38bba3a67ce5815b5cbf1522c7bb59ecd86b09e16ed2 |
DER PEM | 80dd9e3497f354e30b8acf39d046dd4f5a618f7889236eb34f78d54d15cd6a50 |
DER PEM | 87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706 |
DER PEM | 8b358466d66126312120645a5875a6a57e3c81d98476a967604244254eac00f0 |
DER PEM | b2d98c992cf7ed639190854b7d66a26dbc22b0b8d8a87dfc7d19e25f5d6c9953 |
DER PEM | b3feee99d4d595fa837828e14dec2c4d91e8669f92413d007a94db0059fd0dac |
DER PEM | dfcc775c644db4a33ad71293433f463c8e31057ce22cb267f9d31a0353f4fc2f |
DER PEM | e39d3ed886e5a3af26b9d6ab608028bc6fbc52e599cb323da7e9e775b530337c |
DER PEM | eb159c922a3fc2191475ca20a53816d87a38a1a79a7264789193d2f1f750e85e |
Externally Operated Subordinate CAs
The following certificates have a CA listed above as the issuer.
Certificate | Certificate Hash (SHA-256) | Additional Information |
---|---|---|
DER PEM | 4a1ff6bbf481170d3b773cec1f3a84de3b5096575cdbf8b08432209318ca0fbd |
Constraints: Path length: 0, Policy: 2.23.140.1.2.1 Operator: DigiCert, Inc. CP, CPS, and Audit statements Test Website |
DER PEM | f55f9ffcb83c73453261601c7e044db15a0f034b93c05830f28635ef889cf670 |
|
DER PEM | 5338ebec8fb2ac60996126d3e76aa34fd0f3318ac78ebb7ac8f6f1361f484b33 |
|
DER PEM | b0f330a31a0c50987e1c3a7bb02c2dda682991d3165b517bd44fba4a6020bd94 |
|
DER PEM | bf8a69027bcc8d2d42a6e6d25bdd4873f6a34b8f90edf07e86c5d6916da0b933 |
|
DER PEM | 138bdf6e23ac971eb4e626b279dd6a26f057510f1de394293a5eea2860de019b |
|
DER PEM | 40fe28dc925d1a8a6b8f861863eb57cd30c6776416ab8a99920bac7c925a4174 |
|
DER PEM | 2cc39f6789b967b0282aeaca4548f602a1b274e90d260773e9e7b0f7c0f13432 |
|
DER PEM | 41bdc074eb9531ec81fef08d9ffa16536f61fc59789265e95e89a4982aef3f91 |
|
DER PEM | 3b6fab0ab11c14eef9031969e0adb037c8fcc3366728a6567623d3c26b3632cb |
|
DER PEM | 332b101539fa89ca4e228719fe5287ab6869af31ab21cbf110f5dd3c5994c1c7 |
|
DER PEM | f9693255933b68159d168aa9a247da1dc66e23c0620338ef7149e48f83b1ae79 |
|
DER PEM | 493e78eee8cca1f26e6494ed924985af3fa9e6110eaa61c3214e8d73b4047316 |
|
DER PEM | d241192cce57d438986723972dd6f18b5a3a3456a708e8f273d147223ab6fa5d |
|
DER PEM | dfe35c740cf41c0b053e2202ea5afc2f021f70bf90b26bc861fe1d9a0bfc4f1e |
|
DER PEM | a7d15e62c78825919fb59bde58efcfb0225b4107dfc60026885420185dc69b63 |
|
DER PEM | f40da455be136e0db31a116ffd3c3002b1ebbc591558493fe630a9c8c9afad70 |
|
DER PEM | 47fd11ad552ab264d7f272770d3b5590aae145412f4ad6081bdc485298d8e000 |
Certificate | SHA-256 Hash of Subject Public Key Information | Additional Information |
---|---|---|
DER PEM | b394913e6850ffd338a414c91496cd7dfe437ba2ae66966beabd7f6648146db1 |
Constraints: Path length: 0, Policy: 2.5.29.32.0 Operator: DigiCert, Inc. CP, CPS, and Audit statements Test Website |
Requests and Problem Reporting
Certificate Management
For help with using your Amazon Trust Services certificate or using AWS Certificate Manager please see: https://docs.aws.amazon.com/acm/latest/userguide/gs.html
Problem Reporting
Subscribers, Relying Parties, Application Software Suppliers, and other third parties may email ats-certificate-report[at]amazon.com to report suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, and inappropriate conduct. Proof of key compromise should be submitted in either of the following formats: a CSR signed by the compromised private key with the Common Name "Proof of Key Compromise for Amazon"; or the private key itself.
Revocation Requests
Subscribers may request revocation of their own certificates by emailing ats-certificate-report[at]amazon.com. All reports need to include sufficient detail to identify the specific certificates to be revoked. Requests must include a reason code as specified in the Subscriber Agreement.
General Questions
Subscribers, Relying Parties, Application Software Suppliers, and other third parties may email ats-general-questions[at]amazon.com with non-urgent questions about Amazon Trust Services. This email should not be used for revocation requests or other problem reporting related to certificates
Requester Authorization
Applicants may limit individuals who may request certificates on their behalf and may request a list of their currently authorized certificate requesters. Requests to limit or list requesters should be addressed to validation-questions[at]amazon.com.