Alexa Voice Service (AVS) is moving to Amazon Trust Services (ATS) certificates for all AVS endpoints. AVS will require all Alexa-enabled devices and applications to support certificates vended from ATS by June 15, 2018 on all AVS endpoints. Your device or application will not be able to connect to AVS if it does not support ATS certificates after June 15,2018.
What can I do about it?
We recommend testing that your device or application successfully connects to the AVS endpoints using ATS certificates.
How do I test my connection?
We recommend verifying that your trust store has the correct ATS Certificate Authorities (CA) using our test endpoint: https://avs-ats-cert-test.amazon.com.
- This test endpoint is configured with ATS vended certificates only and may be used to verify that your device or application successfully creates a secure connection.
- This test endpoint may be used to validate HTTP/2 and HTTP/1.x connections.
- When creating an HTTP/2 connection, your client may receive a “connection established with ATS certificate” message, while HTTP/1.x connections may receive unexpected HTTP/1.x messages despite successfully creating a secure connection. This is the expected behavior.
- This endpoint is for certificate validation purposes only, it is not a full AVS endpoint, and does not support the full AVS API.
- We do not recommend removing any existing certificate authorities from your trust store.
ATS Certificates Authorities:
Verify that you have the following Amazon Root CAs and Starfield CAs in your trust store.
- ATS certificates are issued by CAs that chain from one of four possible Amazon root CAs:
- "Amazon Root CA 1"
- "Amazon Root CA 2"
- "Amazon Root CA 3"
- "Amazon Root CA 4"
- These roots are cross-signed by two other roots:
- "Starfield Services Root Certificate Authority - G2"
- "Starfield Class 2 Certification Authority"
For more information on how to tell if the ATS CAs are in your trust store, click here.
Need more help?