Amazon is now a certificate authority, or CA, and has launched a new service that issues digital certificates for free to developers.
With its new CA, Amazon Trust Services (ATS), the company has now entered the digital-certificate business, a field currently dominated by Symantec and GoDaddy.
On top of that, its AWS Certificate Manager, or ACM, enables AWS developers to provision and manage Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Clicking on the padlock symbol in the browser bar of an HTTPS website with a certificate from Amazon will now display that the user is on a secured connection 'Verified by: Amazon'.
For now, there are a number limitations to the service. For example, ACM's availability is currently restricted to the US East North Virginia region, and certificates acquired from each region are unusable in other regions. More regions are in the works, according to Amazon spokesman Jeff Barr.
The move by Amazon follows a beta launch in December of the Mozilla-backed Let's Encrypt free digital-certificate service, which aims to make it easier for website operators to enable HTTPS. Content delivery network (CDN) CloudFlare also offers free certificates for its users.
Amazon points out that one reason why developers would want to use an SSL certificate is that it should improve their site's search rankings. Google, for example, uses HTTPS as a signal in its search algorithm.
ACM will also help developers handle issues such as misconfigured, revoked or expired certificates. Given that developers can get free digital certificates, the cost of certificate management is likely to hold greater appeal than the certificate's price. It should also offer a benefit to businesses in regulated industries that may be required to encrypt sessions.
However, unlike Let's Encrypt, Amazon's free certificates are for customers that use its Elastic Load Balancers and its CDN Amazon CloudFront.
Amazon also notes in an FAQ that ACM certificates use RSA keys with a 2,048-bit modulus and SHA-256. But they do not support Perfect Forward Secrecy, which would prevent 'retrospective decryption' if, say, the NSA forced AWS to turn over a private SSL key in the future.
Also, for now, AWS is also not offering Extended Validation certificates, which are usually more expensive and trigger the green bar displaying a company's name.
Amazon's CA has been in the work for some time. The company filed applications with Mozilla and the Android Open Source Project to be recognised as a root CA last June.