ACM will no longer cross sign certificates with Starfield Class 2 starting August 2024

TutoSartup excerpt from this article:
, CN=Starfield Services Root Certificate Authority – G2 as the trust anchor… Like other public CAs, Amazon Trust Services CAs have a structured trust hierarchy… The cross signing was done to provide broader trust because Starfield Class 2 was widely trusted when ACM was launched in 2016… W…

AWS Certificate Manager (ACM) is a managed service that you can use to provision, manage, and deploy public and private TLS certificates for use with Elastic Load Balancing (ELB), Amazon CloudFront, Amazon API Gateway, and other integrated AWS services. Starting August 2024, public certificates issued from ACM will terminate at the Starfield Services G2 (G2) root with subject C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority – G2 as the trust anchor. We will no longer cross sign ACM public certificates with the GoDaddy operated root Starfield Class 2 (C2) with subject C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority.

Background

Public certificates that you request through ACM are obtained from Amazon Trust Services. Like other public CAs, Amazon Trust Services CAs have a structured trust hierarchy. A public certificate issued to you, also known as the leaf certificate, chains to one or more intermediate CAs and then to the Amazon Trust Services root CA.

The Amazon Trust Services root CAs 1 to 4 are cross signed by the Amazon Trust Services root Starfield Services G2 (G2) and further by the GoDaddy operated Starfield Class 2 root (C2). The cross signing was done to provide broader trust because Starfield Class 2 was widely trusted when ACM was launched in 2016.

What is changing?

Starting August 2024, the last certificate in an AWS issued certificate chain will be one of Amazon Root CAs 1 to 4 where the trust anchor is Starfield Services G2. Currently, the last certificate in the chain that is returned by ACM is the cross-signed Starfield Services G2 root where the trust anchor could be Starfield Class 2, as shown in Figure 1 that follows.

Current chain

Figure 1: Certificate chain for ACM prior to August 2024

Figure 1: Certificate chain for ACM prior to August 2024

New chain

Figure 2 shows the new chain, where the last certificate in an AWS issued certificate’s chain is one of the Amazon Root CAs (1 to 4), and the trust anchor is Starfield Services G2.

Figure 2: New certificate chain for ACM starting on August 2024

Figure 2: New certificate chain for ACM starting on August 2024

Why are we making this change?

Starfield Class 2 is operated by GoDaddy, and GoDaddy intends to deprecate C2 in the future. To align with this, ACM is removing the trust anchor dependency on the C2 root.

How will this change impact my use of ACM?

We don’t expect this change to impact most customers. Amazon owned trust anchors have been established for over a decade across many devices and browsers. The Amazon owned Starfield Services G2 is trusted on Android devices starting with later versions of Gingerbread, and by iOS starting at version 4.1. Amazon Root CAs 1 to 4 are trusted by iOS starting at version 11. A browser, application, or OS that includes the Amazon or Starfield G2 roots will trust public certificates obtained from ACM.

What should you do to prepare?

We expect the impact of removing Starfield Services C2 as a trust anchor to be limited to the following types of customers:

  1. Customers who don’t have one of the Amazon Trust Services root CAs in the trust store.
    • To resolve this, you can add the Amazon CAs to your trust store.
  2. Customers who pin to the cross-signed certificate or the certificate hash of Starfield Services G2 rather than the public key of the certificate.
    • Certificate pinning guidance can be found in the Amazon Trust repository.
  3. Customers who have taken a dependency on the chain length. The chain length for ACM issued public certificates will reduce from 3 to 2 as part of this change.
    • Customers who have a dependency on chain length will need to update their processes and checks to account for the new length.

Customers can test that their clients are able to open the Valid test certificates from the Amazon Trust Repository.

FAQs

  1. What should I do if the Amazon Trust Services CAs aren’t in my trust store?

    If your application is using a custom trust store, you must add the Amazon Trust Services root CAs to your application’s trust store. The instructions for doing this vary based on the application or service. Refer to the documentation for the application or service that you’re using.

    If your tests of any of the test URLs failed, you must update your trust store. The simplest way to update your trust store is to upgrade the operating system or browser that you’re using.

    The following operating systems use the Amazon Trust Services CAs:

    • Amazon Linux (all versions)
    • Microsoft Windows versions, with updates installed, from January 2005, Windows Vista, Windows 7, Windows Server 2008, and later versions
    • Mac OS X 10.4 with Java for Mac OS X 10.4 Release 5, Mac OS X 10.5, and later versions
    • Red Hat Enterprise Linux 5 (March 2007 release), Linux 6, and Linux 7 and CentOS 5, CentOS 6, and CentOS 7
    • Ubuntu 8.10
    • Debian 5.0
    • Java 1.4.2_12, Java 5 update 2 and all later versions, including Java 6, Java 7, and Java 8

    Modern browsers trust Amazon Trust Services CAs. To update the certificate bundle in your browser, update your browser. For instructions on how to update your browser, see the update page for your browser:

  2. Why does ACM have to change the trust anchor? Why can’t ACM continue to vend certificates cross signed with C2?

    There are some rare clients who check for the validity of all the certificates in the certificate chain returned by an endpoint even when they have a shorter-path trust anchor. If ACM continues to return the chain with the G2 root cross signed by C2, such clients might check the CRL and OCSP issued by Starfield Class 2. These clients will see failures on CRL and OCSP lookup chain after the expiry of the CRLs or OCSP responses issued by Starfield Class 2.

  3. When will GoDaddy deprecate the Starfield Class 2 root?

    GoDaddy has not announced specific dates for deprecation of the Starfield Class 2 root. We are working with GoDaddy to minimize customer impact.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Certificate Manager re:Post or contact AWS Support.

Chandan Kundapur

Chandan Kundapur
Chandan is a Principal Technical Product Manager on the Amazon Certificate Manager (ACM) team. With over 15 years of cybersecurity experience, he has a passion for driving our product strategy to help AWS customers identify and secure their resources and endpoints with public and private certificates.

Georgy Sebastian

Georgy Sebastian
Georgy is a Senior Software Development Engineer at AWS Cryptography. He has a background in secure system architecture, PKI management, and key distribution. In his free time, he’s an avid reader, amateur gardener and tinkerer.

Anthony Harvey/a>

Anthony Harvey
Anthony is a Senior Security Specialist Solutions Architect for AWS in the worldwide public sector group. Prior to joining AWS, he was a chief information security officer in local government for half a decade. With his public sector experience, he has a passion for figuring out how to do more with less and leveraging that mindset to enable customers in their security journey.

Shankar Rajagopalan

Shankar Rajagopalan
Shankar is a Senior Solutions Architect at Amazon Web Services in Austin, Texas. With two decades of experience in technology consulting, he specializes in sectors such as Telecom and Engineering. His present focus revolves around Security, Compliance, and Privacy.

ACM will no longer cross sign certificates with Starfield Class 2 starting August 2024
Author: Chandan Kundapur