- Newest
- Most votes
- Most comments
The Starfield Class 2 Certification Authority is provided for devices where it's impossible to change or override the trust store, and is cross-signed with the ATS CAs. From the Amazon Trust Services Repository:
"Starfield Services Root Certificate Authority - G2" is an older root that is compatible with other older trust stores and clients that can not be updated. Including all five of the roots ensure maximum compatibility for your application.
Can you share how you are representing the server certificate chain on your device? If your code allows for inclusion of the CA certificate (or multiple ones), this section of the documentation should help. Based on the cipher suite used for server authentication (which can be different than your X.509 certificate and private key), CA1 is used for RSA and CA3 for ECC.
Hi. Are using the legacy endpoint instead of the ATS endpoint?
https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#endpoint-types
You can get the ATS endpoint this way:
aws iot describe-endpoint --endpoint-type iot:Data-ATS
You should consider to implement CA certificate rotation to handle CA certificate expiry. You might also consider using a custom domain so you can manage your own server certificate: https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html
Hi, I'm using ATS endpoint (**********v0t-ats.iot.us-east-1.amazonaws.com). And yes, I plan on CA certificate rotation to handle CA certificate expiry.
My concern is the following - since now only "Starfield Class 2 Certification Authority" works and none of those provided by AWS worked, how can I make sure that a future replacement for the "Starfield Class 2 Certification Authority" will work? Any idea why those provided by AWS did not work?
Thanks, Shimon
Hi, I'm using ATS endpoint (**********v0t-ats.iot.us-east-1.amazonaws.com). And yes, I plan on CA certificate rotation to handle CA certificate expiry.
My concern is the following - since now only "Starfield Class 2 Certification Authority" works and none of those provided by AWS worked, how can I make sure that a future replacement for the "Starfield Class 2 Certification Authority" will work? Any idea why those provided by AWS did not work?
Thanks, Shimon
Relevant content
- asked 2 years ago
- asked a year ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks. I'm installing manually only the root ca. It works well with "Starfield Class 2 Certification Authority". It does not work with "Starfield Services Root Certificate Authority - G2" or "Amazon Root CA 1" or "Amazon Root CA 3". Should the later be enough, each by itself, to validate the server certificate? Or is there a chain of certificates that I need to install?
It's going to depend on the RTOS or software that establishes the connection. Can you share what that is and how it's configured to use the CA? For instance, with FreeRTOS and the AWS libraries you can provide a single CA (CA 1 or CA 3) and that is sufficient for it to work. You mentioned a modem so I'm thinking the MQTT portion might be in there?
Hi Gavin, I'm using a TI WIFI device (CC3220SF) and the RTOS is TIRTOS7. TI has a MQTT client library on their SimpleLink SDK and I'm using it as is. As part of the client setting, the path for where the CA certificate is installed has to be provided. It works perfectly well with "Starfield Class 2 Certification Authority", but fails with "Starfield Services Root Certificate Authority - G2" or "Amazon Root CA 1" or "Amazon Root CA 3". I tried to clarify this issue with the TI support team, but they insist that this is an AWS issue. Thanks
Hi Gavin, any more ideas/recommendations how to handle this? Thanks
I'm not experienced on how TI handles CA certificates or why this isn't working. My next suggestion would be to open an AWS support case and provide the details that TI provided you regarding this. That way you can get direct support in a private setting.