I received an email notification from Amazon that Amazon S3 and Amazon CloudFront were migrating default certificates to Amazon Trust Services in March 2021.
In 2018, AWS announced a broad migration of AWS services' SSL/TLS certificates to our own Certificate Authority, Amazon Trust Services. Consistent with this change, and beginning March 2021, Amazon S3 and Amazon CloudFront will begin migrating the Certificate Authority for each services' default certificate. Using our own Certificate Authority, AWS services can better manage the security practices used to handle our default certificates.
Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts Amazon Trust Services as many AWS services have already migrated. Visit https://www.amazontrust.com/repository/ for more information about Amazon Trust Services.
To prepare for this migration, visit the announcement blog or review the FAQs below:
https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/
As a ColdFusion developer, I use Amazon S3 for a couple projects. I've encountered issues in the past and have had to resort to using S3Express: Amazon S3 Command Line Utility to improve performance, thread stability and avoid time-outs. I continue to use CFML to access S3 to generate real-time, time-expiring download links for digital downloads.
I've also accessed some websites via CFHTTP that are hosted by Amazon CloudFront. I decided to check to determine if I needed to manually import the certificates into the trust store or if it would just work. (NOTE: I prefer using CFX_HTTP5 and it worked without having to make any code changes or manually import any certificates. CURL also worked. They both use WinHttp API which leverages the certificates that are updated automatically by Microsoft.) Since this was announced back in 2018, I figured Adobe was on top of this and would have added it to ColdFusion 2018, but it appears that they didn't. (I'm not sure if they've added it to CF2020. Could someone check on that?)
Here's a ColdFusion script that I wrote that performs GET requests using the currently available test URLs:
- https://good.sca1a.amazontrust.com/
- https://good.sca2a.amazontrust.com/
- https://good.sca4a.amazontrust.com/
- https://good.sca0a.amazontrust.com/
I noticed that the new AWS certificates work when testing TryCF and I'm not sure why. (Are they using a proxy?) If you test using CFFiddle, a connection failure error is returned.
TryCF.com Demo
https://www.trycf.com/gist/829e15110b1f8b81576e1782f760475d
Latest comments (0)