AWS S3 - root certificate changing

jcsbanks
Posts: 301
Joined: Tue Mar 28, 2017 8:03 pm

AWS S3 - root certificate changing

Postby jcsbanks » Sat Mar 21, 2020 11:42 am

I received an email from AWS saying that the root certificate for some S3 regions was going to change from March 2021.
Frequently Asked Questions
Q1: What is changing?
The certificate authority for Amazon S3 and Amazon CloudFront’s default certificates are changing from DigiCert to Amazon Trust Services. For S3, many regions already use Amazon Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS regions to Amazon Trust Services as well. For CloudFront, all edge locations will be migrating to Amazon Trust Services.

This does change does not impact workloads that use HTTP only or use a custom SSL/TLS certificate.

Q2: When are these changes occurring?
The changes in Certificate Authority will begin rolling out on March 1, 2021.

Q3: What do I need to do?
Evaluate whether your applications trust Amazon Trust Services’ root certificates. If your application does not trust Amazon Trust Services, perform one of the following two actions. Resolution option 1, update your client certificate trust store to include all of Amazon Trust Services’ root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an SSL/TLS certificate from an already trusted Certificate Authority.

Q4: How do I test if my application trust Amazon Trust Services?
Verify your application works with Amazon Trust Services issued certificates, by performing one of the following tests from within your application. Test option 1, fetch the object https://s3-ats-migration-test.s3.eu-wes ... m/test.jpg and verify a 200 response or that you see the green check mark in the test image. Test option 2, create an S3 bucket in your AWS account in any of the following regions (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1) and fetch a test object.

Q5: What root certificates are part of Amazon Trust Services?
Refer to https://www.amazontrust.com/repository/ for the current list.

Q6: What happens after March 1, 2021 if my clients do not trust Amazon Trust Services’ Certificate Authorities?
All client requests made to a default Amazon S3 or Amazon CloudFront endpoint will receive a default certificate issued from Amazon Trust Services. If the client trust store does not trust the Certificate Authority, it may close the connection and report the SSL certificate as “untrusted.”
Code to fetch OTA update from AWS:

Code: Select all

	esp_http_client_config_t config = {
        .url = ota_url,
        .cert_pem = (char *)s3_root_ca_pem,
        .event_handler = _http_event_handler,
		.buffer_size = 4096,
    };

	esp_err_t ret = esp_https_ota(&config);
s3_root_ca_pem has the following info (and I think Baltimore CyberTrust was taken over by Digicert for whom the old certificates will not work, so looks like it will be affected):
$ openssl x509 -in s3-root-ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 33554617 (0x20000b9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Validity
Not Before: May 12 18:46:00 2000 GMT
Not After : May 12 23:59:00 2025 GMT
Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
I also have stored an AWS certificate that might work:
$ openssl x509 -in aws-root-ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Amazon, CN=Amazon Root CA 1
Validity
Not Before: May 26 00:00:00 2015 GMT
Not After : Jan 17 00:00:00 2038 GMT
Subject: C=US, O=Amazon, CN=Amazon Root CA 1
What is the best way to handle this transition in esp-idf? Do I change the certificate used now, or concatenate them both somehow so that the OTA update will use either?

jcsbanks
Posts: 301
Joined: Tue Mar 28, 2017 8:03 pm

Re: AWS S3 - root certificate changing

Postby jcsbanks » Tue Apr 14, 2020 8:45 pm

I have Amazon Root CA 1 already stored, I just need to work out how and when to use it instead of Digicert, or how to allow either to be used. Any suggestions welcome.

jcsbanks
Posts: 301
Joined: Tue Mar 28, 2017 8:03 pm

Re: AWS S3 - root certificate changing

Postby jcsbanks » Wed Apr 15, 2020 5:41 pm

Can certificates be concatenated and either one expected to work when the certificate on the server is changed?

devanl
Posts: 11
Joined: Sat Jan 04, 2020 5:26 pm

Re: AWS S3 - root certificate changing

Postby devanl » Wed Apr 15, 2020 11:07 pm

I don't have any experience with an actual certificate changeover, but my experience with concatenated PEM files and the existing AWS / ESP-IDF library code is that they seem to work fine, so I would expect that you could put both certificates in a single concatenated PEM file and you would be able to connect with no downtime during the switchover.

jcsbanks
Posts: 301
Joined: Tue Mar 28, 2017 8:03 pm

Re: AWS S3 - root certificate changing

Postby jcsbanks » Thu Apr 16, 2020 12:30 pm

devanl wrote:
Wed Apr 15, 2020 11:07 pm
I don't have any experience with an actual certificate changeover, but my experience with concatenated PEM files and the existing AWS / ESP-IDF library code is that they seem to work fine, so I would expect that you could put both certificates in a single concatenated PEM file and you would be able to connect with no downtime during the switchover.
Thanks that does seem to work so I concatenated the PEMs with \r\n between them in a RAM buffer. Either order seems OK. Let's hope it handles the switchover.

Who is online

Users browsing this forum: Baidu [Spider] and 35 guests