Update Certificate Authorities
The Alexa Voice Service (AVS) requires all Alexa Built-in devices and applications to support certificates vended from Amazon Trust Services (ATS) on all AVS endpoints. Your device or application will not be able to connect to AVS if it does not support ATS certificates.
Test your connection
Verify that your trust store has the correct ATS Certificate Authorities (CA) using the Amazon test endpoints shown in the following table:
Base URLs
| Region | Supported Countries/Regions | URL |
|---|---|---|
| Asia | Australia, Japan, New Zealand, India | https://alexa.fe.gateway.devices.a2z.com |
| Europe | Austria, France, Germany, Italy, Spain, United Kingdom | https://alexa.eu.gateway.devices.a2z.com |
| North America | Canada, Mexico, United States | https://alexa.na.gateway.devices.a2z.com |
Legacy Base URLs
| Region | Supported Countries/Regions | URL |
|---|---|---|
| Asia | Australia, Japan, New Zealand, India | https://avs-alexa-fe.amazon.com |
| Europe | Austria, France, Germany, Italy, Spain, United Kingdom | https://avs-alexa-eu.amazon.com |
| North America | Canada, Mexico, United States | https://avs-alexa-na.amazon.com |
- These test endpoints are configured with ATS vended certificates only and can verify that your device or application successfully creates a secure connection.
- These test endpoints can validate HTTP/2 and HTTP/1.x connections.
- When creating an HTTP/2 connection, your client might receive a "connection established with ATS certificate" message, although HTTP/1.x connections might receive unexpected HTTP/1.x messages despite successfully creating a secure connection. This behavior is expected.
- These endpoints are for certificate validation purposes only and are not full AVS endpoints or support the full AVS API.
- Do not remove the existing certificate authorities from your trust store.
ATS Certificate Authorities
Verify that you have the following Amazon Root CAs and Starfield CAs in your trust store.
- ATS certificates are issued by CAs that chain from one of four possible Amazon root CAs:
- "Amazon Root CA 1"
- "Amazon Root CA 2"
- "Amazon Root CA 3"
- "Amazon Root CA 4"
- These roots are cross-signed by two other roots:
- "Starfield Services Root Certificate Authority - G2"
- "Starfield Class 2 Certification Authority"
For more details about how to tell if the ATS CAs are in your trust store, see How to Prepare for AWS’s Move to Its Own Certificate Authority.
Test on Raspbian Linux
The ATS Certificate Authorities (CA) files are located here: https://www.amazontrust.com/repository/.
The following example shows how to update certificate authorities for Raspbian Linux:
- Raspbian maintains its SSL certificates in this directory:
/usr/share/ca-certificates - Verify the ATS CAs are present the following file:
/etc/ca-certificates.conf - Add any missing ATS CAs to your distribution. This example shows how to add Amazon ROOT CA 1. Repeat this step for any missing CA:
cd /usr/share/ca-certificates wget https://www.amazontrust.com/repository/AmazonRootCA1.pem -O /usr/share/ca-certificates/AmazonRootCA1.pem echo "AmazonRootCA1.pem" >> /etc/ca-certificates.conf update-ca-certificates - Verify the system-level SSL library successfully connects. This command shows the default used by the AVS Device SDK:
openssl s_client -tls1_2 -connect avs-alexa-na.amazon.com:443 -verify 10 - To test AVS Device SDK connectivity, edit the “AlexaClientSDKConfig.json”, and add the following to the
"sampleApp"configuration. Verify that you are not getting an SSL exception by running the sample app and inspecting the console log entrees in debug mode.Note: You should expect failures, but not failures due to SSL connection issues."endpoint" https://alexa.na.gateway.devices.a2z.com
Need More Help?
- AWS Amazon Trust Services
- Mozilla CA Certificate Store
- Chrome’s Plan to Distrust Symantec Certificates