AWS Certificate Manager (ACM) is a service for managing TLS certificates for services like Elastic Load Balancing, CloudFront, and API Gateway. Starting in August 2024, public ACM certificates will be anchored to the Starfield G2 Services (G2) root. This change eliminates the cross-signing with GoDaddy’s root. The transition aims to accommodate the discontinuation of the Starfield Class 2 (C2) root. Public certificates issued by ACM are chained to Amazon Trust Services Root CA, ensuring trustworthiness.
The shift will not affect most customers, as Amazon’s trusted anchors are widely recognized across platforms. However, clients lacking Amazon Trust Services Root CA in their trusted stores will need to add them. Those depending on chain length for certificates should update their processes to reflect the reduced chain length from 3 to 2. Testing the validity of certificates from the Amazon Trusted Repository is recommended for clients to ensure seamless operation.
Users with custom trust stores must include Amazon Trust Services Root CA. Operating systems like Amazon Linux, Windows, macOS, Red Hat, Ubuntu, Debian, and various versions of Java and browsers trust Amazon’s certificates. While ACM’s change may lead to issues for a few rare clients, the goal is to ensure long-term security and stability by aligning with industry standards. Collaborating with GoDaddy, ACM aims to minimize customer impact during the transition.
Feedback and inquiries can be directed to the AWS Certificate Manager support team or through the comments section. The team behind ACM includes experts like Chandan Kundapur, Georgy Sebastian, Anthony Harvey, and Shankar Rajagopalan, experienced in cybersecurity, system architecture, and security solutions in public sectors. Ultimately, AWS’s goal is to provide a secure and reliable infrastructure for customers to manage their digital certificates effortlessly.
Article Source
https://aws.amazon.com/blogs/security/acm-will-no-longer-cross-sign-certificates-with-starfield-class-2-starting-august-2024/