Repository

Current documents

Certificate Policy / Certification Practice Statement for WebPKI TLS: Amazon Trust Services Certificate Policy / Certification Practice Statement v2.6
Certificate Policy / Certification Practice Statement for Non-TLS: Amazon Trust Services Certificate Policy / Certification Practice Statement v2.2
Subscriber Agreement: Amazon Trust Services Certificate Subscriber Agreement v1.4
Relying Party Agreement: Amazon Trust Services Relying Party Agreement v1.2

Certification authorities

Trust store and pinning recommendations

Amazon Trust Services doesn't recommend or support pinning.

If you require pinning then we recommend that you pin to the public key of the root. Applications that pin to subordinate CAs or end-entity certificates that chain to ATS roots are at a higher risk for outages. We do not recommend pinning to the attributes of a certificate associated with a root. All CAs can have multiple certificates associated with their keys. Because trust is based on keys and not certificate attributes, pinning to certificate attributes may result in unexpected behavior. If you have technical constraints that require pinning to certificate attributes we have provided that information below.

For relying parties that make use of custom trust stores we recommend that all five of the above roots be included in the trust store. "Amazon Root CA 1 - 4" represent different key types/algorithms. "Starfield Services Root Certificate Authority - G2" is an older root that is compatible with other older trust stores and clients that can not be updated. Including all five of the roots ensure maximum compatibility for your application.

Root certificates with the "EU" designation in the CN will be used for certificate issuance in the AWS European Sovereign Cloud region only. These roots are pending inclusion in public root store programs. End-entity certificates issued from the AWS European Sovereign Cloud region will be trusted in public root store programs that follow the cross-signed certificates issued from our existing "Amazon Root CA 1, 3, and 4" roots.

Root CAs

The following certificate authorities are operated according to the practices described in the above CPS.
Distinguished names are represented using the algorithm recommended in RFC 4514.

Distinguished name	SHA-256 hash of subject public key information	Self-signed certificate	Test URLs
CN=Amazon Root CA 1,O=Amazon,C=US	`fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2`	DER PEM	Valid Revoked Expired
CN=Amazon Root CA 2,O=Amazon,C=US	`7f4296fc5b6a4e3b35d3c369623e364ab1af381d8fa7121533c9d6c633ea2461`	DER PEM	Valid Revoked Expired
CN=Amazon Root CA 3,O=Amazon,C=US	`36abc32656acfc645c61b71613c4bf21c787f5cabbee48348d58597803d7abc9`	DER PEM	Valid Revoked Expired
CN=Amazon Root CA 4,O=Amazon,C=US	`f7ecded5c66047d28ed6466b543c40e0743abe81d109254dcf845d4c2c7853c5`	DER PEM	Valid Revoked Expired
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies, Inc.,C=US,S=Arizona,L=Scottsdale	`2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92`	DER PEM	Valid Revoked Expired
* CN=Amazon RSA 2048 Root EU M1,O=Amazon,C=DE	`8d935558e6a3c896330148ffdf6a1ac0a5bfba1ab44545135a3b376c9a1a308d`	DER PEM	Valid Revoked Expired
* CN=Amazon ECDSA 256 Root EU M1,O=Amazon,C=DE	`9565907725464be0bff44b1232f85ee862a9a0d99db971ba20344aaf41431d58`	DER PEM	Valid Revoked Expired
* CN=Amazon ECDSA 384 Root EU M1,O=Amazon,C=DE	`798fe10957e8c5a0874201caf09d5ef4b2e2412c47bf991949566cb542d3af3f`	DER PEM	Valid Revoked Expired

* Root certificate is pending inclusion in browser trust stores.

Root CA certificate information

This is provided for informational purposes. We do not recommend pinning to attributes in the certificates.

Amazon Root CAs have multiple certificates for each root key pair.

For the "Amazon Root CAs [1-4]", one set of certificates is self-signed, the other set is cross-signed with the older "Starfield Services Root Certificate Authority - G2" root.

Additionally, we also have a cross-signed version of the certificate for "Starfield Services Root Certificate Authority - G2". It is cross-signed with an even older root managed by a different certificate authority.

One set of the EU root CAs is self-signed and the others are cross-signed by "Amazon Root CA [1,3,4]", respectively. Cross-signed versions of our EU roots will be distributed in the AWS European Sovereign Cloud region only. These cross-signs establish a trusted path to our existing roots that are already included in major root store programs.

Distinguished name	Type	SHA-256 hash	Certificate
CN=Amazon Root CA 1,O=Amazon,C=US	Self-signed	`8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e`	DER PEM
CN=Amazon Root CA 1,O=Amazon,C=US	Cross-signed	`87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706`	DER PEM
CN=Amazon Root CA 2,O=Amazon,C=US	Self-signed	`1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4`	DER PEM
CN=Amazon Root CA 2,O=Amazon,C=US	Cross-signed	`8b358466d66126312120645a5875a6a57e3c81d98476a967604244254eac00f0`	DER PEM
CN=Amazon Root CA 3,O=Amazon,C=US	Self-signed	`18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4`	DER PEM
CN=Amazon Root CA 3,O=Amazon,C=US	Cross-signed	`40c826fdb22ba32a2f9db4f94770f72b8b1da9c8ffda7b11e6f27af245c89b5e`	DER PEM
CN=Amazon Root CA 4,O=Amazon,C=US	Self-signed	`e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092`	DER PEM
CN=Amazon Root CA 4,O=Amazon,C=US	Cross-signed	`543d9b7fc2a6471cd84fca52c2cf6159df83ebfcd88d8b08b5af3f88737f52e6`	DER PEM
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies, Inc.,C=US,S=Arizona,L=Scottsdale	Self-signed	`568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5`	DER PEM
CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies, Inc.,C=US,S=Arizona,L=Scottsdale	Cross-signed	`28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996`	DER PEM
CN=Amazon RSA 2048 Root EU M1,O=Amazon,C=DE	* Self-signed	`eaffac50c7e3e15a68f779a5e70ec2f5e9fc4a03ff69ab337b4d6c4510432395`	DER PEM
CN=Amazon RSA 2048 Root EU M1,O=Amazon,C=DE	Cross-signed	`bddb011e995a62b9f58507944e04f8a624888ef4c0c41c79cab032168c86b83b`	DER PEM
CN=Amazon ECDSA 256 Root EU M1,O=Amazon,C=DE	* Self-signed	`9ead32c9285fe68ba2c5b0fe427d149b103fdfa1d0958d77c3da0ff246e853d3`	DER PEM
CN=Amazon ECDSA 256 Root EU M1,O=Amazon,C=DE	Cross-signed	`f35a8a529ee51c24078d36a00b918c5080aedca0611e5be55831b4cb66f2c2f5`	DER PEM
CN=Amazon ECDSA 384 Root EU M1,O=Amazon,C=DE	* Self-signed	`8e136ce0e77c848f2d2910abd4e3a764358bb1b7a4932202bc9b915732462d85`	DER PEM
CN=Amazon ECDSA 384 Root EU M1,O=Amazon,C=DE	Cross-signed	`c5df074e1c3a2eaec742930beda6c1a429db293f96a8f1db3b1436d772b7c483`	DER PEM

* Root certificate is pending inclusion in browser trust stores.

The certificate files above are licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License .

CRL and OCSP endpoints

View the complete list of CRL and OCSP endpoints operated by Amazon Trust Services.

WebTrust for Certification Authorities audits

WebTrust for Certification Authorities (CA): WebTrust Principles and Criteria for Certification Authorities - Version 2.2.2
WebTrust for Baseline Requirements: WebTrust Principles and Criteria for Certification Authorities - TLS Baseline - Version 2.8
WebTrust for Extended Validation: WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.8
WebTrust for Network Security: WebTrust Principles and Criteria for Certification Authorities - Network Security - Version 2.0.5
WebTrust for Code Signing Baseline Requirements: WebTrust Principles and Criteria for Certification Authorities - Code Signing Baseline Requirements - Version 3.7
WebTrust for S/MIME: WebTrust Principles and Criteria for Certification Authorities - S/MIME - Version 1.0.3

Requests and issue reporting

Are you an AWS Certificate Manager customer?

If you require help with your certificate, see: https://docs.aws.amazon.com/acm/latest/userguide/gs.html .

Need to report a certificate issue or ask a question?

Report an issue

Report private key compromise, request revocation, or any other certificate-related issue — or ask a general question about Amazon Trust Services certificates.

Cross-signed, subordinate and externally operated subordinate CAs certificates

View the list of cross-signed, subordinate and externally operated subordinate CAs certificates.

Archives

Document	Effective	Superseded date	Successor version
Certificate Policy (14)
Amazon Trust Services Certificate Policy v1.0.14	July 24, 2024	July 23, 2025	v2.0
Amazon Trust Services Certificate Policy v1.0.13	July 28, 2023	July 24, 2024	v1.0.14
Amazon Trust Services Certificate Policy v1.0.12	August 29, 2022	July 28, 2023	v1.0.13
Amazon Trust Services Certificate Policy v1.0.11	August 18, 2021	August 29, 2022	v1.0.12
Amazon Trust Services Certificate Policy v1.0.10	July 23, 2021	August 18, 2021	v1.0.11
Amazon Trust Services Certificate Policy v1.0.9	April 23, 2021	July 23, 2021	v1.0.10
Amazon Trust Services Certificate Policy v1.0.8	March 30, 2020	April 23, 2021	v1.0.9
Amazon Trust Services Certificate Policy v1.0.7	December 18, 2019	March 30, 2020	v1.0.8
Amazon Trust Services Certificate Policy v1.0.6	April 13, 2018	December 18, 2019	v1.0.7
Amazon Trust Services Certificate Policy v1.0.5	January 15, 2018	April 13, 2018	v1.0.6
Amazon Trust Services Certificate Policy v1.0.4	January 12, 2017	January 15, 2018	v1.0.5
Amazon Trust Services Certificate Policy v1.0.3	December 16, 2015	January 12, 2017	v1.0.4
Amazon Trust Services Certificate Policy v1.0.2	October 21, 2015	December 16, 2015	v1.0.3
Amazon Web Services Certificate Policy v1.0.1	May 26, 2015	October 21, 2015	v1.0.2
Certificate Policy / Certification Practice Statement (6)
Amazon Trust Services Certificate Policy / Certification Practice Statement v2.5	March 18, 2026	May 20, 2026	v2.6
Amazon Trust Services Certificate Policy / Certification Practice Statement v2.4	February 25, 2026	March 18, 2026	v2.5
Amazon Trust Services Certificate Policy / Certification Practice Statement v2.3	January 29, 2026	February 25, 2026	v2.4
Amazon Trust Services Certificate Policy / Certification Practice Statement v2.2	November 27, 2025	January 29, 2026	v2.3
Amazon Trust Services Certificate Policy / Certification Practice Statement v2.1	October 20, 2025	November 27, 2025	v2.2
Amazon Trust Services Certificate Policy / Certification Practice Statement v2.0	July 23, 2025	October 20, 2025	v2.1
Certification Practice Statement (15)
Amazon Web Services Certification Practice Statement v1.0.15	July 24, 2024	July 23, 2025	v2.0
Amazon Trust Services Certification Practice Statement v1.0.14	July 28, 2023	July 24, 2024	v1.0.15
Amazon Trust Services Certification Practice Statement v1.0.13	August 29, 2022	July 28, 2023	v1.0.14
Amazon Trust Services Certification Practice Statement v1.0.12	August 18, 2021	August 29, 2022	v1.0.13
Amazon Trust Services Certification Practice Statement v1.0.11	July 23, 2021	August 18, 2021	v1.0.12
Amazon Trust Services Certification Practice Statement v1.0.10	April 23, 2021	July 23, 2021	v1.0.11
Amazon Trust Services Certification Practice Statement v1.0.9	March 30, 2020	April 23, 2021	v1.0.10
Amazon Trust Services Certification Practice Statement v1.0.8	December 17, 2019	March 30, 2020	v1.0.9
Amazon Trust Services Certification Practice Statement v1.0.7	April 13, 2018	December 17, 2019	v1.0.8
Amazon Trust Services Certification Practice Statement v1.0.6	January 15, 2018	April 13, 2018	v1.0.7
Amazon Trust Services Certification Practice Statement v1.0.5	January 12, 2017	January 15, 2018	v1.0.6
Amazon Trust Services Certification Practice Statement v1.0.4	December 16, 2015	January 12, 2017	v1.0.5
Amazon Trust Services Certification Practice Statement v1.0.3	October 21, 2015	December 16, 2015	v1.0.4
Amazon Web Services Certification Practice Statement v1.0.2	June 10, 2015	October 21, 2015	v1.0.3
Amazon Web Services Certification Practice Statement v1.0.1	May 26, 2015	June 10, 2015	v1.0.2
Relying Party Agreement (2)
Amazon Trust Services Relying Party Agreement v1.1	September 9, 2016	February 25, 2026	v1.2
Amazon Trust Services Relying Party Agreement v1.0	October 28, 2015	September 9, 2016	v1.1
Subscriber Agreement (4)
Amazon Trust Services Certificate Subscriber Agreement v1.3	September 21, 2022	February 25, 2026	v1.4
Amazon Trust Services Certificate Subscriber Agreement v1.2	September 9, 2016	September 21, 2022	v1.3
Amazon Trust Services Certificate Subscriber Agreement v1.1	November 2, 2015	September 9, 2016	v1.2
Amazon Web Services Certificate Subscriber Agreement v1.0	May 26, 2015	November 2, 2015	v1.1

Audit	Start date	End date
Certification Authorities (10)
WebTrust Principles and Criteria for Certification Authorities - Version 2.2.2	January 16, 2024	January 15, 2025
WebTrust Principles and Criteria for Certification Authorities - Version 2.2.2	January 16, 2023	January 15, 2024
WebTrust Principles and Criteria for Certification Authorities - Version 2.2.2	January 16, 2022	January 15, 2023
WebTrust Principles and Criteria for Certification Authorities - Version 2.2.1	January 16, 2021	January 15, 2022
WebTrust Principles and Criteria for Certification Authorities - Version 2.2	January 16, 2020	January 15, 2021
WebTrust Principles and Criteria for Certification Authorities - Version 2.1	January 16, 2019	January 15, 2020
WebTrust Principles and Criteria for Certification Authorities - Version 2.1	January 16, 2018	January 15, 2019
Trust Service Principles and Criteria for Certification Authorities Version 2.0	January 16, 2017	January 15, 2018
Trust Service Principles and Criteria for Certification Authorities Version 2.0	January 16, 2016	January 15, 2017
Trust Service Principles and Criteria for Certification Authorities Version 2.0	January 16, 2015	January 15, 2016
Code Signing (5)
WebTrust Principles and Criteria for Certification Authorities - Code Signing Baseline Requirements - Version 3.7	January 16, 2024	January 15, 2025
WebTrust Principles and Criteria for Certification Authorities - Code Signing Baseline Requirements - Version 2.7	January 16, 2023	January 15, 2024
WebTrust Principles and Criteria for Certification Authorities - Code Signing - Version 2.0	January 16, 2022	January 15, 2023
WebTrust Principles and Criteria for Certification Authorities - Code Signing - Version 2.0	January 16, 2021	January 15, 2022
WebTrust Principles and Criteria for Certification Authorities - Code Signing - Version 1.0.1	January 16, 2020	January 15, 2021
Extended Validation Code Signing (5)
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing - Version 1.4.1	January 16, 2020	January 15, 2021
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing - Version 1.4.1	January 16, 2019	January 15, 2020
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing - Version 1.4.1	January 16, 2018	January 15, 2019
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing	January 16, 2017	January 15, 2018
WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing	January 16, 2016	January 15, 2017
Extended Validation SSL (10)
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.8	January 16, 2024	January 15, 2025
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.7.8	January 16, 2023	January 15, 2024
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.7.3	January 16, 2022	January 15, 2023
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.7.3	January 16, 2021	January 15, 2022
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.6.8	January 16, 2020	January 15, 2021
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.6.2	January 16, 2019	January 15, 2020
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.6.2	January 16, 2018	January 15, 2019
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5	January 16, 2017	January 15, 2018
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5	January 16, 2016	January 15, 2017
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5	January 16, 2015	January 15, 2016
Network Security (2)
WebTrust Principles and Criteria for Certification Authorities - Network Security - Version 1.7	January 16, 2024	January 15, 2025
WebTrust Principles and Criteria for Certification Authorities - Network Security - Version 1.0	January 16, 2023	January 15, 2024
S/MIME (2)
WebTrust Principles and Criteria for Certification Authorities - S/MIME - Version 1.0.3	January 16, 2024	January 15, 2025
WebTrust Principles and Criteria for Certification Authorities - S/MIME Certificates - Version 1.0.1	January 16, 2023	January 15, 2024
SSL / TLS Baseline (1)
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline - Version 2.8	January 16, 2024	January 15, 2025
SSL Baseline with Network Security (9)
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.6	January 16, 2023	January 15, 2024
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.5	January 16, 2022	January 15, 2023
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.5	January 16, 2021	January 15, 2022
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.4.1	January 16, 2020	January 15, 2021
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.3	January 16, 2019	January 15, 2020
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.2	January 16, 2018	January 15, 2019
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0	January 16, 2017	January 15, 2018
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0	January 16, 2016	January 15, 2017
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0	January 16, 2015	January 15, 2016

Starfield Services Root Certificate Authority - G2

View the certificate policy and certification practice statements under which the Starfield Services Root Certificate Authority - G2 were operated prior to Amazon Trust Services acquisition.