Amazon Web Services continues to extend its reach into IT products, applying today to Mozilla and the Android Open Source Project to become a root Certificate Authority, also known as a CA. The move will allow Amazon to sell Secure Sockets Layer (SSL) certificates to developers looking to encrypt their website or application traffic.
By becoming a root CA, Amazon can sell SSL certificates that are automatically trusted by common web browsers and operating systems. SSL certificates are commonly used to encrypt web traffic on banking, e-commerce or other sites that contain sensitive data.
It is unclear how big the revenue opportunity for Amazon is for digital certificates and how aggressively they will market them, but providing encryption certificates seems to be a natural add-on service for Amazon Web Services. If AWS has its own root Certificate Authority, AWS developers no longer have to visit a third-party certificate provider to purchase verified digital certificates.
Amazon enters a fairly crowded SSL encryption market and is poised to compete with major certificate providers like Comodo, Symantec, GoDaddy, GlobalSign and DigiCert.
Amazon’s Mozilla and Android CA applications indicate that they wish to be included in the list of Firefox and Android trusted CAs. The submission process for Microsoft and Apple isn’t public, so it is unknown if the same submission was made to those two programs today to cover Microsoft and Apple products.
The CA application gives more detail about Amazon’s plan for their own commercial Certificate Authority, indicating that they will offer both standard and extended server authentication certificates to the general public.
CA Name: Amazon
Websites: https://aws.amazon.com/ and http://www.awstrust.com/repository/
One Paragraph Summary of CA:
The Amazon PKI is run by Amazon Web Services. Amazon is a commercial CA that will provide certificates to customers from around the world. We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing. We will offer both standard and extended validation server authentication certificates. Customers of the Amazon PKI are the general public. We do not require customers that customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.
If you’ve ever clicked on the lock icon in your browser address bar on an encrypted webpage, you will find information on the CA who is verifying the source of the website traffic. Amazon currently uses Verisign (Symantec) certificates to encrypt their own web traffic.
In this example, VeriSign has issued a certificate to Amazon based on an identity verification process of Amazon. The web browser checks with the certificate provider to see if the certificate is still valid and trusts the certificate because of the identity verification process that is performed by a root Certificate Authority.
The move into SSL certificates is similar to a move the company made last year to start offering domain name registration services to AWS customers.
We have reached out to Amazon for comment on their CA plans.