Update Certificate Authorities


The Alexa Voice Service (AVS) requires all Alexa Built-in devices and applications to support certificates vended from Amazon Trust Services (ATS) on all AVS endpoints. Your device or application will not be able to connect to AVS if it does not support ATS certificates.

Test your connection

Verify that your trust store has the correct ATS Certificate Authorities (CA) using the Amazon test endpoints shown in the following table:

Base URLs

Region Supported Countries/Regions URL
Asia Australia, Japan, New Zealand https://alexa.fe.gateway.devices.a2z.com
Europe Austria, France, Germany, India, Italy, Saudi Arabia, United Arab Emirates, Spain, United Kingdom https://alexa.eu.gateway.devices.a2z.com
North America Brazil, Canada, Mexico, United States https://alexa.na.gateway.devices.a2z.com

Legacy Base URLs

Region Supported Countries/Regions URL
Asia Australia, Japan, New Zealand https://avs-alexa-fe.amazon.com
Europe Austria, France, Germany, India, Italy, Saudi Arabia, United Arab Emirates, Spain, United Kingdom https://avs-alexa-eu.amazon.com
North America Brazil, Canada, Mexico, United States https://avs-alexa-na.amazon.com
  • These test endpoints are configured with ATS vended certificates only and can verify that your device or application successfully creates a secure connection.
  • These test endpoints can validate HTTP/2 and HTTP/1.x connections.
    • When creating an HTTP/2 connection, your client might receive a "connection established with ATS certificate" message, although HTTP/1.x connections might receive unexpected HTTP/1.x messages despite successfully creating a secure connection. This behavior is expected.
    • These endpoints are for certificate validation purposes only and are not full AVS endpoints or support the full AVS API.
  • Do not remove the existing certificate authorities from your trust store.

ATS Certificate Authorities

Verify that you have the following Amazon Root CAs and Starfield CAs in your trust store.

  • ATS certificates are issued by CAs that chain from one of four possible Amazon root CAs:
    • "Amazon Root CA 1"
    • "Amazon Root CA 2"
    • "Amazon Root CA 3"
    • "Amazon Root CA 4"
  • These roots are cross-signed by two other roots:
    • "Starfield Services Root Certificate Authority - G2"
    • "Starfield Class 2 Certification Authority"

For more details about how to tell if the ATS CAs are in your trust store, see How to Prepare for AWS’s Move to Its Own Certificate Authority.

Test on Raspbian Linux

The ATS Certificate Authorities (CA) files are located here: https://www.amazontrust.com/repository/.

The following example shows how to update certificate authorities for Raspbian Linux:

  1. Raspbian maintains its SSL certificates in this directory:
    /usr/share/ca-certificates
    
  2. Verify the ATS CAs are present the following file:
    /etc/ca-certificates.conf
    
  3. Add any missing ATS CAs to your distribution. This example shows how to add Amazon ROOT CA 1. Repeat this step for any missing CA:
    cd /usr/share/ca-certificates
    
    wget https://www.amazontrust.com/repository/AmazonRootCA1.pem -O /usr/share/ca-certificates/AmazonRootCA1.pem
    
    echo "AmazonRootCA1.pem" >> /etc/ca-certificates.conf
    
    update-ca-certificates
    
  4. Verify the system-level SSL library successfully connects. This command shows the default used by the AVS Device SDK:
    openssl s_client -tls1_2 -connect avs-alexa-na.amazon.com:443 -verify 10
    
  5. To test AVS Device SDK connectivity, edit the “AlexaClientSDKConfig.json”, and add the following to the "sampleApp" configuration. Verify that you are not getting an SSL exception by running the sample app and inspecting the console log entrees in debug mode.
    "endpoint" https://alexa.na.gateway.devices.a2z.com
    

Need More Help?


Was this page helpful?

Last updated: Nov 27, 2023