cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem concerning the renewal of AWS certificate

Go to solution
former_member596578
Participant

on ‎04-04-2019 10:31 AM

0 Kudos

Dear experts,

one of our Trust Certificates from AWS has expired and I'd like to renew it:

Screenshot 1: 2019-04-04-11-08-40-window.png

Whenever I fetch the certificate with Google Chrome the following one is shown:

Screenshot 2: inked2019-04-04-11-11-00-window-li.jpg

As this is not the certificate I want to update, I looked up the alternative appliciants within the certificate and the following ones are displayed:

Screenshot 3: inked2019-04-04-11-17-11-window-li.jpg

If I'm correct this segment is stating that the certificate I am looking for ('eu-west-1.queue.amazonaws.com') is included in 'sqs.eu-west-1.amazonaws.com'.

My question is: Is this really the case and 'eu-west-1.queue.amazonaws.com' is therefore obsolete or is there another way to get the certificate for 'eu-west-1.queue.amazonaws.com'?

Thanks in Advance,

Nils

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member197728
Active Participant
‎04-04-2019 10:56 AM

Hi Nils,

the guide on the amazon certificates is here: https://help.sap.com/viewer/0f9408e4921e4ba3bb4a7a1f75f837a7/1902.500/en-US/ea05476cc4424219aa70b4ec...

You can either install the intermediate and root certificates in your trust store (certificate chain) OR you install the leaf certificate in your trust store.

You can check it on your own: both the sqs.eu-west-1 and the email.eu-west-1 are using the Amazon Root CA 1 (one of Amazon's certificate authorities).

So when uploading the Amazon Root CA 1 (leaf certificate) into your Certificate Trust List, you are good to go in both cases (sqs* and email*).

Please mark your question as answered, if my comment helped.

Best regards,

Tim

Show replies
Show replies
former_member596578
Participant
‎04-04-2019 11:31 AM
0 Kudos

Hi Tim,

thanks for your fast answer, though 'email.eu-west-1.amazonaws.com' is already inbound:

Screenshot: inked2019-04-04-12-17-50-window-li.jpg

I don't really understand what you're trying to tell me... I'm asking specifically for 'eu-west-1.queue.amazonaws.com'. Do you reckon that 'email.eu-west-1.amazonaws.com' is in fact concordant to 'eu-west-1.queue.amazonaws.com'? Why do the two of those exist as seperate units in the system then?

BR,

Nils

former_member197728
Active Participant
‎04-04-2019 1:19 PM
0 Kudos

Hi Nils,

sorry, my last answer was misleading.

I actually missed the right certificate name. However, I have now edited my answer.

Best regards,

Tim

former_member596578
Participant
‎04-04-2019 2:50 PM
0 Kudos

(1/2)

Hi Tim,

thanks for helping out.

In your updated answer you are comparing 'email.eu-west-1.amazonaws.com' and 'sqs.eu-west-1.amazonaws.com'. Both of those are fine in my system and up to date. The one that is the troublemaker is 'eu-west-1.queue.amazonaws.com':

Screenshot 1: inked2019-04-04-12-17-50-window-li-2.jpg

Prior to asking this question I followed the guide you provided (https://help.sap.com/viewer/0f9408e4921e4ba3bb4a7a1f75f837a7/1902.500/en-US/ea05476cc4424219aa70b4ecd208cdb9.html).

(Comment continues below)

former_member596578
Participant
‎04-04-2019 2:53 PM
0 Kudos

(2/2)

For 'eu-west-1.queue.amazonaws.com' I just changed the URL to 'https://eu-west-1.queue.amazonaws.com/' and followed the procedure described in the guide.

The problem that occurs now is that 'https://eu-west-1.queue.amazonaws.com/' provides the same certificate as 'https://sqs.eu-west-1.amazonaws.com/':

Screenshot 2: inked2019-04-04-15-02-07-window-li.jpg

Screenshot 3: inked2019-04-04-11-11-00-window-li.jpg

Therefore, if I upload the certificate I get for 'https://eu-west-1.queue.amazonaws.com/' to MC, 'eu-west-1.queue.amazonaws.com' is still marked as expired in the system and 'sqs.eu-west-1.amazonaws.com' gets renewed.

My conclusion is that 'email.eu-west-1.amazonaws.com' is in fact concordant to 'eu-west-1.queue.amazonaws.com'. That means I could just delete the expired 'eu-west-1.queue.amazonaws.com' and never think about it again. Is that true? If not, where can I find a running certificate for 'eu-west-1.queue.amazonaws.com'?

I hope this helps to clarify my problem!

BR,

Nils

(P. S.: I can't submit the comment in one go, propably too long)

former_member197728
Active Participant
‎04-04-2019 3:33 PM
0 Kudos

Hi Nils,

yes, you should be fine after deleting the expired 'eu-west-1.queue.amazonaws.com' in that case.

FYI: Most of our client are uploading the Amazon Root CA 1 (leaf certificate) into their Certificate Trust Lists. I have just double checked it, the CA 1 certificate is valid until 2037, so in that case you really don't have to worry about it for quite some time.

Hope this helps!

Best regards,

Tim

former_member596578
Participant
‎04-05-2019 8:48 AM
0 Kudos

Hey Tim,

thanks for the confirmation! (I will mark your original comment as accepted because for some reason that's not possible with sub comments.)

Just two more things concerning your 'FYI':

Does the 'Amazon Root CA 1' certificate replace the other Amazon related certificates ('email.eu-west-1.amazonaws.com' and 'sqs.eu-west-1.amazonaws.com')?

Is this the place I get the right one from: 2019-04-05-09-43-48-window.png ?

I uploaded the one in the Screenshot to MC and it looks like this: 2019-04-04-11-08-40-window.png , so I should be good to go, correct?

Kind regards,

Nils

Answers (0)

Ask a Question