Tech Bulletin: Amazon introduces dynamic intermediate certificate authorities

AWS Certificate Manager (ACM) is a managed service that lets you provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Amazon Web Services (AWS) and your internal connected resources.

Last published on: October 21st, 2022

What is Changing?

On September 14th, AWS Security Blog posted changes that may impact our clients regarding how clients manage certificates. The changes will go into effect on October 11th, 2022.



Who's Impacted & The Audience?

  • The Audience: The technical bulletin is for anyone who manages and administers your/the Network and Security.
  • ImpactsIf you use intermediate CA information through certificate pinning, you will need to make changes and pin to an Amazon Trust Services root CA instead of an intermediate CA or leaf certificate. 
    • Certificate pinning: is a process in which your application that initiates the TLS connection only trusts a specific public certificate through one or more certificate variables that you define. If the pinned certificate is replaced, your application won’t initiate the connection.



Delete

I Do Not Pinn Certificates

Great! There is nothing more for you to do, and these changes will not impact your services or use of OpenMethods products.



I'm Impacted, What Can I Do To Prepare?

We recommend reading, review, and making changes based the following links from Amazon Web Services. Performing all of the information listed will resolve any issues. 

  1. Amazon introduces dynamic intermediate certificate authorities
  2. AWS Certificate Manager (ACM) Best Practices
  3. More information on Certificate and Public Key Pinning via OWASP