Hey everyone! I've heard that the Starfield Class 2 Root CA certificates are being deprecated by AWS and they won't be cross-signing them anymore starting August 2024. I'm curious, how are you all checking to see if your applications will be affected by this change?
3 Answers
They actually stopped including C2 in the chain over a year ago. If you haven't run into issues by now, you're likely good!
If you’re using Java applications with JDK 8 or higher, you should be in the clear since the Amazon Root CAs are included in the JVM unless you specifically have a custom cacerts file. I've also checked Python 3.11 and up, and those come with the Amazon Root CAs included in the certifi package.
From what I've gathered, the main change is that new ACM certificates will now link to Starfield G2 instead of Starfield C2, and the certificate chain is shorter than before. If you have applications that validate their own certificates outside of the OS or a reliable runtime, you might want to check those first. Legacy IoT devices with hardcoded trust stores could be particularly problematic. For AWS-managed services like ALB or API Gateway, they should handle certificate rotation automatically, but it’s still a good idea to verify using the test endpoints in the Amazon Trust Repository documentation.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically