AWS Certificate Manager to Shift Trust Anchor, Ending Cross-Signature with Starfield Class 2 Root

Harsh Viradia - Oct 29 - - Dev Community

As part of an essential security update, AWS Certificate Manager (ACM) will adjust its public certificate hierarchy, no longer cross-signing with the GoDaddy Starfield Class 2 (C2) root after August 2024. Moving forward, ACM public certificates will directly terminate at the Starfield Services G2 (G2) root with the trust anchor specified as “C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority – G2.” This change is part of a proactive alignment with future compatibility needs and evolving browser trust policies.

What is AWS Certificate Manager (ACM)?

AWS Certificate Manager (ACM) simplifies and manages the process of provisioning, deploying, and maintaining TLS certificates across AWS services, such as Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon API Gateway. Using certificates from Amazon Trust Services, ACM leverages a structured hierarchy to ensure secure connections across AWS-managed environments.

Background: Trust Chain Hierarchy

Since its launch in 2016, ACM has enhanced certificate compatibility through a cross-signed trust chain with the Starfield Class 2 root to broaden device and browser acceptance. AWS certificates are rooted in Amazon Trust Services, structured under Amazon Root CAs 1 to 4, which were cross-signed by Starfield Services G2, further linking to Starfield Class 2. This initial structure aimed to extend trust through Starfield Class 2, which was widely accepted and trusted at the time.

Key Update Starting August 2024

Beginning in August 2024, ACM-issued certificates will anchor to the Starfield Services G2 root and no longer include the Starfield Class 2 root in the trust chain. The last certificate in the chain provided by ACM will be Starfield Services G2, without Starfield Class 2 cross-signature.

Why the Update? Browser and Root Compatibility Evolution

This change aligns with planned updates in browser and trust policies. GoDaddy, which operates Starfield Class 2, plans to withdraw support for this root, and both Chromium and Mozilla browsers have announced that Starfield Class 2 will lose trust status by April 2025. AWS has secured extended support for Starfield C2 through December 31, 2025, to assist with transition, but due to ACM’s 13-month certificate validity period, this change is being phased in now to ensure smooth continuity and compatibility.

How This Affects ACM Users?

AWS expects this adjustment to have minimal impact for most ACM users, given the long-standing trust and compatibility of Amazon-owned roots. Devices and browsers widely recognize Amazon-owned trust anchors, including Starfield Services G2. Amazon Root CAs 1 to 4 are also supported by iOS 11 and above and by later Android versions from Gingerbread onward. Consequently, ACM-issued certificates anchored to G2 are expected to remain widely trusted across applications, browsers, and devices.

This transition underscores ACM’s commitment to security and compatibility in alignment with updated standards and device/browser requirements.

Thank you for reading the blog!
Content Copyright reserved by Author Harsh Viradia.
Contact: https://www.linkedin.com/in/harsh-viradia/

. . . . . . . . . . . . . .