Update Certificate Authorities

On March 14, 2018, an email was sent to registered Alexa developers with the requirement to update certificate authorities for all Alexa Voice Service (AVS) clients. This guide provides additional directions to help meet this requirement.

What's Happening?

AVS is moving to Amazon Trust Services (ATS) certificates for all AVS endpoints. AVS will require all Alexa Built-in devices and applications to support certificates vended from ATS by June 15, 2018 on all AVS endpoints. Your device or application will not be able to connect to AVS if it does not support ATS certificates after June 15,2018.

What Can I Do About It?

We recommend testing that your device or application successfully connects to the AVS endpoints using ATS certificates.

How Do I Test My Connection?

We recommend verifying that your trust store has the correct ATS Certificate Authorities (CA) using our test endpoint: https://avs-ats-cert-test.amazon.com.

  1. This test endpoint is configured with ATS vended certificates only and may be used to verify that your device or application successfully creates a secure connection.
  2. This test endpoint may be used to validate HTTP/2 and HTTP/1.x connections.
    • When creating an HTTP/2 connection, your client may receive a "connection established with ATS certificate" message, while HTTP/1.x connections may receive unexpected HTTP/1.x messages despite successfully creating a secure connection. This is the expected behavior.
    • This endpoint is for certificate validation purposes only, it is not a full AVS endpoint, and does not support the full AVS API.
  3. We do not recommend removing any existing certificate authorities from your trust store.

ATS Certificate Authorities

Verify that you have the following Amazon Root CAs and Starfield CAs in your trust store.

  • ATS certificates are issued by CAs that chain from one of four possible Amazon root CAs:
    • "Amazon Root CA 1"
    • "Amazon Root CA 2"
    • "Amazon Root CA 3"
    • "Amazon Root CA 4"
  • These roots are cross-signed by two other roots:
    • "Starfield Services Root Certificate Authority - G2"
    • "Starfield Class 2 Certification Authority"

For more information on how to tell if the ATS CAs are in your trust store, click here.

Test on Raspbian Linux

The Amazon Trust Services (ATS) Certificate Authorities (CA) files are located here: https://www.amazontrust.com/repository/.

This is an example of how to update certificate authorities for Raspbian Linux:

  1. Raspbian maintains its SSL certificates in this directory:
  2. Verify the ATS CAs are present the following file:
  3. Add any missing ATS CAs to your distribution. This example shows how to add Amazon ROOT CA 1. This step must be repeated for any missing CA:
    cd /usr/share/ca-certificates
    wget https://www.amazontrust.com/repository/AmazonRootCA1.pem -O /usr/share/ca-certificates/AmazonRootCA1.pem
    echo "AmazonRootCA1.pem" >> /etc/ca-certificates.conf
  4. Verify the system-level SSL library can successfully connect (this is the default used by the AVS Device SDK):
    openssl s_client -tls1_2 -connect avs-ats-cert-test.amazon.com:443 -verify 10
  5. To test AVS Device SDK connectivity, edit the “AlexaClientSDKConfig.json”, and add the following to the "sampleApp" configuration. Verify that you are not getting an SSL exception by running the sample app and inspecting the console log entrees in debug mode.
    "endpoint" https://avs-ats-cert-test.amazon.com

Need More Help?