To our developer community,
Please take note that Login with Amazon is tightening security standards by officially ending its acceptance of SHA1-signed certificates. Login with Amazon is updating service endpoints to use SHA256-signed hashes in SSL certificates for HTTPS access, and will retire support for SHA1-signed hashes by April 30, 2016. Clients that don’t have the correct CA root certificate to verify Login with Amazon’s new SHA256-signed certificates will be unable to send back-end service calls to Login with Amazon API endpoints.
Who needs to take action
This change does not impact all Login with Amazon-enabled services and applications, only those that perform back-end requests to Login with Amazon API endpoints.
- Applications and services performing client-side communication with Login with Amazon will not be impacted.
- Applications and services using the Login with Amazon SDK for iOS will not be impacted.
- Applications and services using the Login with Amazon SDK for Android versions 2.3 (Gingerbread) and above will not be impacted.
- Applications and services using the Login with Amazon SDK for Android version 2.2 (Froyo) will be unable to access Login with Amazon API endpoints after April 30, 2016.
- All other applications and services making back-end calls to Login with Amazon API endpoints will be impacted, if signed by SHA1.
What action needs to occur
If you own or are responsible for software that makes back-end service calls to Login with Amazon, please test to determine whether the certificate is signed by SHA1. If you’ve determined your software is signed with a SHA1 certificate, you MUST migrate to SHA256 before April 30, 2016 as your application will fail to connect to Login with Amazon API endpoints after that time.
Our support team is standing by to assist you with any questions you have over this migration. For support, we encourage you to reach out to firstname.lastname@example.org, or post on our forums.
The Login with Amazon team