Amazon Web Services has an upcoming change that could impact your communication with AWS services. Please read the below communication from AWS and take appropriate actions.

If you are unsure about how or what to do in your specific case, please reach out to our support staff at We’re happy to help!

Update certificate authority

Amazon will be updating the certificate authority (CA) for the certificates used by Amazon Simple Queue Service domain(s), between March 5, 2018 to March 30, 2018. After the updates complete, the SSL/TLS certificates used by Amazon SQS will be issued by Amazon Trust Services (ATS), the same certificate authority (CA) used by AWS Certificate Manager.
The update means that customers accessing AWS SQS endpoints via HTTPS whether through browsers or programmatically, you’ll need to update the trusted CA list on your client machines. That is, unless you already support any of the following CAs:

  • • “Amazon Root CA 1”
  • “Starfield Services Root Certificate Authority – G2”
  • “Starfield Class 2 Certification Authority”

This upgrade notice covers the following endpoints:

  • []

If your clients already trust at least one of the above three CAs then they will trust our certificates and no action is required. However, if you do not already trust any of the above CAs and do not add them to your trusted CA list by 05 March 2018, HTTPS connections to the Amazon SQS APIs will not be established.
For more information about this AWS update, please visit this blog post.
For information on the Amazon root CA see:

Operating Systems With ATS Support

  • Microsoft Windows versions that have January 2005 or later updates installed, Windows Vista, Windows 7, Windows Server 2008, and newer versions
  • Mac OS X 10.4 with Java for Mac OS X 10.4 Release 5, Mac OS X 10.5 and newer versions
  • Red Hat Enterprise Linux 5 (March 2007), Linux 6, and Linux 7 and CentOS 5, CentOS 6, and CentOS 7
  • Ubuntu 8.10
  • Debian 5.0
  • Amazon Linux (all versions)
  • Java 1.4.2_12, Java 5 update 2, and all newer versions, including Java 6, Java 7, and Java 8

Updating your Client Browser

You can update the certificate bundle in your browser simply by updating your browser. Instructions for the most common browsers can be found on the browsers websites:

  • Chrome:
  • FireFox:
  • Safari:
  • Microsoft Internet Explorer: – Certificate bundles for Internet Explorer are managed by the Windows OS, so ensure that you update the OS as well.

Testing Your Programmatic Access To SQS

If you access Amazon SQS programmatically, you will need to write a test that performs an HTTPS GET to and validate that the TLS handshake succeeds.

Most AWS SDKs and CLIs are not impacted by the transition to the Amazon Trust Services CA. If you are using a version of the Python AWS SDK or CLI released before October 29, 2013, you must upgrade. The .NET, Java, PHP, Go, JavaScript, and C++ SDKs and CLIs do not bundle any certificates, so their certificates come from the underlying operating system. The Ruby SDK has included at least one of the required CAs since June 10, 2015. Before that date, the Ruby V2 SDK did not bundle certificates.

You can test your changes against the SQS Paris region ( which used Amazon Trust Services (ATS) since it was launched on December 18, 2017.

Manually Updating Your Certificate Bundle

If you cannot access and you need to update your certificate bundle, then you can do so by importing at least one of the required CAs. They can be found here. Instructions for importing a root CA certificate into your certificate bundle will vary so please consult the documentation that came with your software.

Need support on AWS cloud?
If you need assistance or have any questions about this, please let us know and we’ll be happy to help you.

iso 27001 & isae 3402 inQdo BV

simplifying cloud and integration together

inQdo B.V.

Coltbaan 1-19

3439 NG Nieuwegein

+31 85 2011161