2016/03/09 - 2:10 AM PDT - Update


The SHA-1 issuance deadlines have passed and we have decommissioned the test endpoint https://www.amazonsha256.com. Customers wishing to test against SHA-256 endpoints can do so by going to any of our endpoints, such as https://aws.amazon.com.





2015/11/12 - 6:10 AM PDT - Update


Amazon CloudFront will stop providing SHA-1 as the default SSL certificate starting on December 15th 2015. The default SHA-1 certificate will be replaced with SHA-256 based certificate to ensure a higher level security and browser compatibility. This will take approximately one week to propagate to all the Edge locations worldwide.



For more details please refer to the links below:

1.   https://aws.amazon.com/security/security-bulletins/aws-to-switch-to-sha256-hash-algorithm-for-ssl-certificates/

2.   https://forums.aws.amazon.com/ann.jspa?annID=3360 (You will need an AWS account to access the forum message).






2015/09/11 - 8:15 AM PST - Update


Amazon CloudFront will continue to provide the SHA-1 certificate as the default SSL option until end of 2015. Customers that want to use a SHA-256 certificate can bring their own certificate and use the custom SSL option.




2015/06/29 9:00 AM PST

AWS Security wanted to notify customers about the progress of the SHA256 update project to ensure that customers can continue to connect to AWS.


AWS service teams have been working diligently to deprecate the use of SHA1 as a hashing algorithm and convert to the new SHA256 certificates. They are targeting to have their work completed by Sept. 30, 2015; however, some service teams have already started to roll out changes and now require updated certificates on the client end. What this means for customers is that when an AWS service team completes their migration to the new certificates on the service end, certain (older) clients will no longer be able to connect to the service until the customer updates the CA bundle on the client end. Therefore, we’re urging customers who have not tested their compatibility to do so as soon as possible by navigating to a test endpoint that we have set up: https://www.amazonsha256.com. If your browser supports SHA256, you should see a message that the negotiation was successful. If it is not successful, you will need to update the certificate bundle in your client.


Note that some customers will also need to update the certificate bundles in proxies if their network architecture uses intermediary devices to proxy Internet requests.


If you access AWS programmatically, you can download a zip file containing test scripts for supported languages and execute it with the instructions posted in the original security bulletin about the SHA256 update.