Amazon Trust Services is a certificate authority created and operated by Amazon Web Services. Amazon Trust Services works with the AWS Certificate Manager service to simplify certificate management and ensure secure communication between a client and a server.
The AWS Certificate Manager can help an IT team overcome the complex, error-prone manual tasks involved with creating Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates; it enables an administrator to provision, deploy and automatically renew certificates. A user can request a new certificate and deploy it to other Amazon services, including Elastic Load Balancing and Amazon CloudFront.
While Amazon Trust Services provides free certificates that AWS users sign, an IT team must still obtain and pay for certificates. In addition, an IT pro can upload a non-Amazon Trust Services certificate to the AWS Certificate Manager.
Amazon Trusted Services: A certificate authority
Consumers and businesses need a way to securely exchange data while staying ahead of bad actors. A digital certificate (or public key certificate) is like a password that enables secure data exchanges using the public key infrastructure (PKI). Digital certificates are commonly used for initializing SSL connections between web browsers and servers, and to authenticate digital signatures.
In simple terms, digital certificates help protect information online, encrypt digital transactions, and enable secure multiparty communication.
A certificate authority (CA) is a trusted organization that verifies the identities of websites, devices and people to ensure secure communications and trusted transactions. They do this by issuing digital certificates.
SSL and TLS certificates are critical for encrypting web traffic, and for ensuring safe data exchange and transactions on banking, e-commerce or other kinds of websites containing sensitive data. This is why CAs and digital certificates play a vital role in ensuring digital/internet security.
Amazon Trust Services is a trusted CA that issues digital SSL certificates free to developers who want to encrypt their website or application traffic. It is the root CA for AWS, allowing AWS developers to directly purchase the verified SSL certificates they need from the Amazon ecosystem without having to go to a third-party CA.
Amazon Trust Services: A trustworthy CA
Amazon Trust services operates five root CAs that enable an IT team to provision and deploy several certificate classes:
- Amazon Root CA 1 uses SHA-256 with a 2,048 bit key;
- Amazon Root CA 2 uses SHA-384 with a 4,096 bit key;
- Amazon Root CA 3 uses ECC P-256 (or NIST P-256);
- Amazon Root CA 4 uses ECC P-384 (or NIST P-384); and
- Starfield Services Root Certificate Authority-G2 uses SHA-256 with a 2,048 bit key.
AWS Certificate Manager only issues certificates from Amazon Root CA 1 (SHA-256 with a 2 KB key), which browsers recognize as a valid CA. For additional validation, Starfield Services Root Certificate Authority-G2 cross-signs those certificates; and Starfield Class 2 Certification Authority cross-signs them again.
AWS purchased the Starfield Services CA, a root that has been valid since 2005 and found in most browsers. This ensures the ubiquity of the Amazon Trust Services CA so developers don’t need to take any additional action to use any of its issued certificates.
Common web browsers and operating systems automatically trust CA issued by Amazon Trust Services. The process of adding a certificate to a server depends on the OS: Windows Server, macOS, Ubuntu or Red Hat Enterprise Linux/Fedora/CentOS.
While Amazon Trust Services provides free certificates that AWS users sign, an IT team must still obtain and pay for certificates. They can also upload a non-Amazon Trusted Services certificate to the AWS Certificate Manager, however. Amazon Trust Services Certificate Policy describes Amazon’s policies and practices for issuing public certificates.
AWS Certificate Manager
In addition to securing communications and data, an SSL certificate helps improve a site’s search rankings. However, SSL/TLS certificates are time-limited and usually valid for only one year. After expiring, a certificate needs to be renewed. IT personnel must manually track and update certificates, which can be a difficult and costly.
Amazon Trust Services works with AWS Certificate Manager to ease certificate management for securing client/server communication, and to implement strong data security in the AWS public cloud. With the AWS Certificate Manager service, users can easily provision, manage and deploy public or private SSL/TLS certificates, and use them with their AWS services (e.g., Elastic Load Balancers or Amazon CloudFront distributions), or with internal connected resources.
Benefits of AWS Certificate Manager are as follows:
- eliminates the manual processes associated with using and managing SSL/TLS certificates;
- certifies private keys are protected and stored using strong encryption;
- handles automatic certificate renewals; and
- avoids downtime due to misconfigured, revoked or expired certificates.
After receiving a certificate from Amazon Trust Services, click on the padlock symbol in the browser bar of an HTTPS website. It will display that you are on a secured connection that is ‘Verified by: Amazon.’