Amazon S3 将服务证书迁移到 Amazon Trust Services

Question

I have websites that link directly to images stores on S3 using HTTPS.

For example:

<img src="https://s3.amazonaws.com/MyBucket/FolderInBucket/ImageFileName.png" />

I wanted to know if I need to change anything so my images on my website will still be accessible after the migration.

Source information link .

Answer 1

You won't have to do anything on your end, the certificate swap is handled by AWS. Whether this has an impact on your application depends on your clients, because this change relates to how they do the certificate verification.

The process is roughly like this:

1. The client makes a request to S3, asking for encrypted communication
2. S3 sends back a certificate, that contains the public key for the initial key exchange using asymmetric encryption.
3. The client verifies the digital signature of the certificate, that means:
   • The certificate is cryptographically signed by a certificate authority (there are intermediate certificate authorities that form a chain of trust, but we're going to ignore these for simplicity.)
   • This signature means the certificate authority guarantees this certificate to be valid
   • The signature is trusted, if the certificate authority is trusted. Each client has a list of trusted root certificates in a local trust store, which the client trusts to guarantee the authenticity of certificates
   • If the new CA is in the local trust store everything is fine, if it isn't there will be an error
   • Afterwards the client will check, if the certificate in question has been revoked. If yes, the connection is terminated, if not it trusts the certificate and the included public key
4. The client generates a session key and encrypts it with the public key from the certificate.
5. The encrypted session key is sent to the server and the server can decrypt it using its private key
6. Now both partners have the session key and can exchange symmetrically encrypted messages using that session key.

So the main question is: Do your clients have the new CA in their trust store?

The answer is: most likely yes

You can have your clients test this by accessing the URL in the post you linked to, which already uses the new certificate:

https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg

If they see this picture, everything is fine:

You can also do this in the background on your website and check if HTTP 200 is returned when requesting the URL. If that's not the case, inform the client there may be problems in the future.