├── .github
└── CODEOWNERS
├── .gitignore
├── CONTRIBUTING.md
├── LICENSE
├── LICENSE-SUMMARY
├── README.md
├── TrustedCertificateAuthorities
├── XKS_arch_v8.png
└── xks_proxy_api_spec.md
/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | # Each line is a file pattern followed by one or more owners.
2 | # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
3 |
4 | # Default code owner for everything in our aws-kms-xks group
5 | * @aws/aws-kms-xks
6 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pdf
2 | build
3 | Config
4 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Guidelines for contributing
2 |
3 | Thank you for your interest in contributing to AWS documentation! We greatly value feedback and contributions from our community.
4 |
5 | Please read through this document before you submit any pull requests or issues. It will help us work together more effectively.
6 |
7 | ## What to expect when you contribute
8 |
9 | When you submit a pull request, our team is notified and will respond as quickly as we can. We'll do our best to work with you to ensure that your pull request adheres to our style and standards. If we merge your pull request, we might make additional edits later for style or clarity.
10 |
11 | The AWS documentation source files on GitHub aren't published directly to the official documentation website. If we merge your pull request, we'll publish your changes to the documentation website as soon as we can, but they won't appear immediately or automatically.
12 |
13 | We look forward to receiving your pull requests for:
14 |
15 | * New content you'd like to contribute (such as new code samples or tutorials)
16 | * Inaccuracies in the content
17 | * Information gaps in the content that need more detail to be complete
18 | * Typos or grammatical errors
19 | * Suggested rewrites that improve clarity and reduce confusion
20 |
21 | **Note:** We all write differently, and you might not like how we've written or organized something currently. We want that feedback. But please be sure that your request for a rewrite is supported by the previous criteria. If it isn't, we might decline to merge it.
22 |
23 | ## How to contribute
24 |
25 | To contribute, send us a pull request. For small changes, such as fixing a typo or adding a link, you can use the [GitHub Edit Button](https://blog.github.com/2011-04-26-forking-with-the-edit-button/). For larger changes:
26 |
27 | 1. [Fork the repository](https://help.github.com/articles/fork-a-repo/).
28 | 2. In your fork, make your change in a branch that's based on this repo's **master** branch.
29 | 3. Commit the change to your fork, using a clear and descriptive commit message.
30 | 4. [Create a pull request](https://help.github.com/articles/creating-a-pull-request-from-a-fork/), answering any questions in the pull request form.
31 |
32 | Before you send us a pull request, please be sure that:
33 |
34 | 1. You're working from the latest source on the **master** branch.
35 | 2. You check [existing open](https://github.com/aws/aws-kms-xksproxy-api-spec/pulls), and [recently closed](https://github.com/aws/aws-kms-xksproxy-api-spec/pulls?q=is%3Apr+is%3Aclosed), pull requests to be sure that someone else hasn't already addressed the problem.
36 | 3. You [create an issue](https://github.com/aws/aws-kms-xksproxy-api-spec/issues/new) before working on a contribution that will take a significant amount of your time.
37 |
38 | For contributions that will take a significant amount of time, [open a new issue](https://github.com/aws/aws-kms-xksproxy-api-spec/issues/new) to pitch your idea before you get started. Explain the problem and describe the content you want to see added to the documentation. Let us know if you'll write it yourself or if you'd like us to help. We'll discuss your proposal with you and let you know whether we're likely to accept it. We don't want you to spend a lot of time on a contribution that might be outside the scope of the documentation or that's already in the works.
39 |
40 | ## Finding contributions to work on
41 |
42 | If you'd like to contribute, but don't have a project in mind, look at the [open issues](https://github.com/aws/aws-kms-xksproxy-api-spec/issues) in this repository for some ideas. Any issues with the [help wanted](https://github.com/aws/aws-kms-xksproxy-api-spec/labels/help%20wanted) or [enhancement](https://github.com/aws/aws-kms-xksproxy-api-spec/labels/enhancement) labels are a great place to start.
43 |
44 | In addition to written content, we really appreciate new examples and code samples for our documentation, such as examples for different platforms or environments, and code samples in additional languages.
45 |
46 | ## Code of conduct
47 |
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information, see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact [opensource-codeofconduct@amazon.com](mailto:opensource-codeofconduct@amazon.com) with any additional questions or comments.
49 |
50 | ## Security issue notifications
51 |
52 | If you discover a potential security issue, please notify AWS Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public issue on GitHub.
53 |
54 | ## Licensing
55 |
56 | See the [LICENSE](LICENSE) file for this project's licensing. We will ask you to confirm the licensing of your contribution. We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.
57 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Attribution-ShareAlike 4.0 International Public License
2 |
3 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
4 |
5 | Section 1 – Definitions.
6 |
7 | a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
8 |
9 | b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.
10 |
11 | c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.
12 |
13 | d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
14 |
15 | e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
16 |
17 | f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
18 |
19 | g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.
20 |
21 | h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
22 |
23 | i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
24 |
25 | j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
26 |
27 | k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
28 |
29 | l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
30 |
31 | m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
32 |
33 | Section 2 – Scope.
34 |
35 | a. License grant.
36 |
37 | 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
38 |
39 | A. reproduce and Share the Licensed Material, in whole or in part; and
40 |
41 | B. produce, reproduce, and Share Adapted Material.
42 |
43 | 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
44 |
45 | 3. Term. The term of this Public License is specified in Section 6(a).
46 |
47 | 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
48 |
49 | 5. Downstream recipients.
50 |
51 | A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
52 |
53 | B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply.
54 |
55 | C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
56 |
57 | 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
58 |
59 | b. Other rights.
60 |
61 | 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
62 |
63 | 2. Patent and trademark rights are not licensed under this Public License.
64 |
65 | 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.
66 |
67 | Section 3 – License Conditions.
68 |
69 | Your exercise of the Licensed Rights is expressly made subject to the following conditions.
70 |
71 | a. Attribution.
72 |
73 | 1. If You Share the Licensed Material (including in modified form), You must:
74 |
75 | A. retain the following if it is supplied by the Licensor with the Licensed Material:
76 |
77 | i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
78 |
79 | ii. a copyright notice;
80 |
81 | iii. a notice that refers to this Public License;
82 |
83 | iv. a notice that refers to the disclaimer of warranties;
84 |
85 | v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
86 |
87 | B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
88 |
89 | C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
90 |
91 | 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
92 |
93 | 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
94 |
95 | b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.
96 |
97 | 1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.
98 |
99 | 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.
100 |
101 | 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.
102 |
103 | Section 4 – Sui Generis Database Rights.
104 |
105 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
106 |
107 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;
108 |
109 | b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and
110 |
111 | c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
112 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
113 |
114 | Section 5 – Disclaimer of Warranties and Limitation of Liability.
115 |
116 | a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
117 |
118 | b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
119 |
120 | c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
121 |
122 | Section 6 – Term and Termination.
123 |
124 | a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
125 |
126 | b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
127 |
128 | 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
129 |
130 | 2. upon express reinstatement by the Licensor.
131 |
132 | c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
133 |
134 | d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
135 |
136 | e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
137 |
138 | Section 7 – Other Terms and Conditions.
139 |
140 | a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
141 |
142 | b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
143 |
144 | Section 8 – Interpretation.
145 |
146 | a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
147 |
148 | b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
149 |
150 | c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
151 |
152 | d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
153 |
--------------------------------------------------------------------------------
/LICENSE-SUMMARY:
--------------------------------------------------------------------------------
1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.
4 |
5 | The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file.
6 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | ## AWS KMS External Key Store (XKS) Proxy API Specification
4 |
5 | This repository contains the [AWS KMS External Keystore (XKS) Proxy API Specification](xks_proxy_api_spec.md
6 | ). It is made available under the [Creative Commons Attribution-ShareAlike 4.0 International License](LICENSE).
7 |
8 |
9 | If you discover a potential security issue, please follow [these](CONTRIBUTING.md#security-issue-notifications) guidelines.
10 |
11 | A sample XKS proxy implementing this specification is available at [aws-kms-xks-proxy](https://github.com/aws-samples/aws-kms-xks-proxy).
12 |
13 | A `curl` based test client that can be used to check if a specific XKS proxy implementation complies with this specification is available at [aws-kms-xksproxy-test-client](https://github.com/aws-samples/aws-kms-xksproxy-test-client).
14 |
15 | Read the AWS News blog on [AWS KMS External Key Stores](https://aws.amazon.com/blogs/aws/announcing-aws-kms-external-key-store-xks) to learn more about the XKS feature in AWS KMS.
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/TrustedCertificateAuthorities:
--------------------------------------------------------------------------------
1 | Alias name: accvraiz1
2 | Owner: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVRAIZ1
3 | Issuer: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVRAIZ1
4 | Valid from: Thu May 05 02:37:37 PDT 2011 until: Tue Dec 31 01:37:37 PST 2030
5 | Certificate fingerprints:
6 | SHA1: 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
7 | SHA256: 9A:6E:C0:12:E1:A7:DA:9D:BE:34:19:4D:47:8A:D7:C0:DB:18:22:FB:07:1D:F1:29:81:49:6E:D1:04:38:41:13
8 | **************************************************************************************
9 | **************************************************************************************
10 | Alias name: acraizfnmtrcm
11 | Owner: OU=AC RAIZ FNMT-RCM, O=FNMT-RCM, C=ES
12 | Issuer: OU=AC RAIZ FNMT-RCM, O=FNMT-RCM, C=ES
13 | Valid from: Wed Oct 29 08:59:56 PDT 2008 until: Mon Dec 31 16:00:00 PST 2029
14 | Certificate fingerprints:
15 | SHA1: EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20
16 | SHA256: EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA
17 | **************************************************************************************
18 | **************************************************************************************
19 | Alias name: acraizfnmtrcmservidoresseguros
20 | Owner: CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS, OID.2.5.4.97=VATES-Q2826004J, OU=Ceres, O=FNMT-RCM, C=ES
21 | Issuer: CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS, OID.2.5.4.97=VATES-Q2826004J, OU=Ceres, O=FNMT-RCM, C=ES
22 | Valid from: Thu Dec 20 01:37:33 PST 2018 until: Sun Dec 20 01:37:33 PST 2043
23 | Certificate fingerprints:
24 | SHA1: 62:FF:D9:9E:C0:65:0D:03:CE:75:93:D2:ED:3F:2D:32:C9:E3:E5:4A
25 | SHA256: 55:41:53:B1:3D:2C:F9:DD:B7:53:BF:BE:1A:4E:0A:E0:8D:0A:A4:18:70:58:FE:60:A2:B8:62:B2:E4:B8:7B:CB
26 | **************************************************************************************
27 | **************************************************************************************
28 | Alias name: actalisauthenticationrootca
29 | Owner: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
30 | Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
31 | Valid from: Thu Sep 22 04:22:02 PDT 2011 until: Sun Sep 22 04:22:02 PDT 2030
32 | Certificate fingerprints:
33 | SHA1: F3:73:B3:87:06:5A:28:84:8A:F2:F3:4A:CE:19:2B:DD:C7:8E:9C:AC
34 | SHA256: 55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66
35 | **************************************************************************************
36 | **************************************************************************************
37 | Alias name: affirmtrustcommercial
38 | Owner: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
39 | Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
40 | Valid from: Fri Jan 29 06:06:06 PST 2010 until: Tue Dec 31 06:06:06 PST 2030
41 | Certificate fingerprints:
42 | SHA1: F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7
43 | SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
44 | **************************************************************************************
45 | **************************************************************************************
46 | Alias name: affirmtrustnetworking
47 | Owner: CN=AffirmTrust Networking, O=AffirmTrust, C=US
48 | Issuer: CN=AffirmTrust Networking, O=AffirmTrust, C=US
49 | Valid from: Fri Jan 29 06:08:24 PST 2010 until: Tue Dec 31 06:08:24 PST 2030
50 | Certificate fingerprints:
51 | SHA1: 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
52 | SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0:B4:1B
53 | **************************************************************************************
54 | **************************************************************************************
55 | Alias name: affirmtrustpremium
56 | Owner: CN=AffirmTrust Premium, O=AffirmTrust, C=US
57 | Issuer: CN=AffirmTrust Premium, O=AffirmTrust, C=US
58 | Valid from: Fri Jan 29 06:10:36 PST 2010 until: Mon Dec 31 06:10:36 PST 2040
59 | Certificate fingerprints:
60 | SHA1: D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27
61 | SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
62 | **************************************************************************************
63 | **************************************************************************************
64 | Alias name: affirmtrustpremiumecc
65 | Owner: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
66 | Issuer: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
67 | Valid from: Fri Jan 29 06:20:24 PST 2010 until: Mon Dec 31 06:20:24 PST 2040
68 | Certificate fingerprints:
69 | SHA1: B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB
70 | SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
71 | **************************************************************************************
72 | **************************************************************************************
73 | Alias name: amazonrootca1
74 | Owner: CN=Amazon Root CA 1, O=Amazon, C=US
75 | Issuer: CN=Amazon Root CA 1, O=Amazon, C=US
76 | Valid from: Mon May 25 17:00:00 PDT 2015 until: Sat Jan 16 16:00:00 PST 2038
77 | Certificate fingerprints:
78 | SHA1: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
79 | SHA256: 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
80 | **************************************************************************************
81 | **************************************************************************************
82 | Alias name: amazonrootca2
83 | Owner: CN=Amazon Root CA 2, O=Amazon, C=US
84 | Issuer: CN=Amazon Root CA 2, O=Amazon, C=US
85 | Valid from: Mon May 25 17:00:00 PDT 2015 until: Fri May 25 17:00:00 PDT 2040
86 | Certificate fingerprints:
87 | SHA1: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
88 | SHA256: 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
89 | **************************************************************************************
90 | **************************************************************************************
91 | Alias name: amazonrootca3
92 | Owner: CN=Amazon Root CA 3, O=Amazon, C=US
93 | Issuer: CN=Amazon Root CA 3, O=Amazon, C=US
94 | Valid from: Mon May 25 17:00:00 PDT 2015 until: Fri May 25 17:00:00 PDT 2040
95 | Certificate fingerprints:
96 | SHA1: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
97 | SHA256: 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
98 | **************************************************************************************
99 | **************************************************************************************
100 | Alias name: amazonrootca4
101 | Owner: CN=Amazon Root CA 4, O=Amazon, C=US
102 | Issuer: CN=Amazon Root CA 4, O=Amazon, C=US
103 | Valid from: Mon May 25 17:00:00 PDT 2015 until: Fri May 25 17:00:00 PDT 2040
104 | Certificate fingerprints:
105 | SHA1: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
106 | SHA256: E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
107 | **************************************************************************************
108 | **************************************************************************************
109 | Alias name: anfsecureserverrootca
110 | Owner: CN=ANF Secure Server Root CA, OU=ANF CA Raiz, O=ANF Autoridad de Certificacion, C=ES, SERIALNUMBER=G63287510
111 | Issuer: CN=ANF Secure Server Root CA, OU=ANF CA Raiz, O=ANF Autoridad de Certificacion, C=ES, SERIALNUMBER=G63287510
112 | Valid from: Wed Sep 04 03:00:38 PDT 2019 until: Tue Aug 30 03:00:38 PDT 2039
113 | Certificate fingerprints:
114 | SHA1: 5B:6E:68:D0:CC:15:B6:A0:5F:1E:C1:5F:AE:02:FC:6B:2F:5D:6F:74
115 | SHA256: FB:8F:EC:75:91:69:B9:10:6B:1E:51:16:44:C6:18:C5:13:04:37:3F:6C:06:43:08:8D:8B:EF:FD:1B:99:75:99
116 | **************************************************************************************
117 | **************************************************************************************
118 | Alias name: atostrustedroot2011
119 | Owner: C=DE, O=Atos, CN=Atos TrustedRoot 2011
120 | Issuer: C=DE, O=Atos, CN=Atos TrustedRoot 2011
121 | Valid from: Thu Jul 07 07:58:30 PDT 2011 until: Tue Dec 31 15:59:59 PST 2030
122 | Certificate fingerprints:
123 | SHA1: 2B:B1:F5:3E:55:0C:1D:C5:F1:D4:E6:B7:6A:46:4B:55:06:02:AC:21
124 | SHA256: F3:56:BE:A2:44:B7:A9:1E:B3:5D:53:CA:9A:D7:86:4A:CE:01:8E:2D:35:D5:F8:F9:6D:DF:68:A6:F4:1A:A4:74
125 | **************************************************************************************
126 | **************************************************************************************
127 | Alias name: autoridaddecertificacionfirmaprofesionalcifa62634068
128 | Owner: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068, C=ES
129 | Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068, C=ES
130 | Valid from: Wed May 20 01:38:15 PDT 2009 until: Tue Dec 31 00:38:15 PST 2030
131 | Certificate fingerprints:
132 | SHA1: AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
133 | SHA256: 04:04:80:28:BF:1F:28:64:D4:8F:9A:D4:D8:32:94:36:6A:82:88:56:55:3F:3B:14:30:3F:90:14:7F:5D:40:EF .7
134 | **************************************************************************************
135 | **************************************************************************************
136 | Alias name: baltimorecybertrustroot
137 | Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
138 | Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
139 | Valid from: Fri May 12 11:46:00 PDT 2000 until: Mon May 12 16:59:00 PDT 2025
140 | Certificate fingerprints:
141 | SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
142 | SHA256: 16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB
143 | **************************************************************************************
144 | **************************************************************************************
145 | Alias name: buypassclass2rootca
146 | Owner: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
147 | Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
148 | Valid from: Tue Oct 26 01:38:03 PDT 2010 until: Fri Oct 26 01:38:03 PDT 2040
149 | Certificate fingerprints:
150 | SHA1: 49:0A:75:74:DE:87:0A:47:FE:58:EE:F6:C7:6B:EB:C6:0B:12:40:99
151 | SHA256: 9A:11:40:25:19:7C:5B:B9:5D:94:E6:3D:55:CD:43:79:08:47:B6:46:B2:3C:DF:11:AD:A4:A0:0E:FF:15:FB:48
152 | **************************************************************************************
153 | **************************************************************************************
154 | Alias name: buypassclass3rootca
155 | Owner: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
156 | Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
157 | Valid from: Tue Oct 26 01:28:58 PDT 2010 until: Fri Oct 26 01:28:58 PDT 2040
158 | Certificate fingerprints:
159 | SHA1: DA:FA:F7:FA:66:84:EC:06:8F:14:50:BD:C7:C2:81:A5:BC:A9:64:57
160 | SHA256: ED:F7:EB:BC:A2:7A:2A:38:4D:38:7B:7D:40:10:C6:66:E2:ED:B4:84:3E:4C:29:B4:AE:1D:5B:93:32:E6:B2:4D
161 | **************************************************************************************
162 | **************************************************************************************
163 | Alias name: cadisigrootr2
164 | Owner: CN=CA Disig Root R2, O=Disig a.s., L=Bratislava, C=SK
165 | Issuer: CN=CA Disig Root R2, O=Disig a.s., L=Bratislava, C=SK
166 | Valid from: Thu Jul 19 02:15:30 PDT 2012 until: Sat Jul 19 02:15:30 PDT 2042
167 | Certificate fingerprints:
168 | SHA1: B5:61:EB:EA:A4:DE:E4:25:4B:69:1A:98:A5:57:47:C2:34:C7:D9:71
169 | SHA256: E2:3D:4A:03:6D:7B:70:E9:F5:95:B1:42:20:79:D2:B9:1E:DF:BB:1F:B6:51:A0:63:3E:AA:8A:9D:C5:F8:07:03
170 | **************************************************************************************
171 | **************************************************************************************
172 | Alias name: certigna
173 | Owner: CN=Certigna, O=Dhimyotis, C=FR
174 | Issuer: CN=Certigna, O=Dhimyotis, C=FR
175 | Valid from: Fri Jun 29 08:13:05 PDT 2007 until: Tue Jun 29 08:13:05 PDT 2027
176 | Certificate fingerprints:
177 | SHA1: B1:2E:13:63:45:86:A4:6F:1A:B2:60:68:37:58:2D:C4:AC:FD:94:97
178 | SHA256: E3:B6:A2:DB:2E:D7:CE:48:84:2F:7A:C5:32:41:C7:B7:1D:54:14:4B:FB:40:C1:1F:3F:1D:0B:42:F5:EE:A1:2D
179 | **************************************************************************************
180 | **************************************************************************************
181 | Alias name: certignarootca
182 | Owner: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
183 | Issuer: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
184 | Valid from: Tue Oct 01 01:32:27 PDT 2013 until: Sat Oct 01 01:32:27 PDT 2033
185 | Certificate fingerprints:
186 | SHA1: 2D:0D:52:14:FF:9E:AD:99:24:01:74:20:47:6E:6C:85:27:27:F5:43
187 | SHA256: D4:8D:3D:23:EE:DB:50:A4:59:E5:51:97:60:1C:27:77:4B:9D:7B:18:C9:4D:5A:05:95:11:A1:02:50:B9:31:68
188 | **************************************************************************************
189 | **************************************************************************************
190 | Alias name: certsignrootca
191 | Owner: OU=certSIGN ROOT CA, O=certSIGN, C=RO
192 | Issuer: OU=certSIGN ROOT CA, O=certSIGN, C=RO
193 | Valid from: Tue Jul 04 10:20:04 PDT 2006 until: Fri Jul 04 10:20:04 PDT 2031
194 | Certificate fingerprints:
195 | SHA1: FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B
196 | SHA256: EA:A9:62:C4:FA:4A:6B:AF:EB:E4:15:19:6D:35:1C:CD:88:8D:4F:53:F3:FA:8A:E6:D7:C4:66:A9:4E:60:42:BB
197 | **************************************************************************************
198 | **************************************************************************************
199 | Alias name: certsignrootcag2
200 | Owner: OU=certSIGN ROOT CA G2, O=CERTSIGN SA, C=RO
201 | Issuer: OU=certSIGN ROOT CA G2, O=CERTSIGN SA, C=RO
202 | Valid from: Mon Feb 06 01:27:35 PST 2017 until: Thu Feb 06 01:27:35 PST 2042
203 | Certificate fingerprints:
204 | SHA1: 26:F9:93:B4:ED:3D:28:27:B0:B9:4B:A7:E9:15:1D:A3:8D:92:E5:32
205 | SHA256: 65:7C:FE:2F:A7:3F:AA:38:46:25:71:F3:32:A2:36:3A:46:FC:E7:02:09:51:71:07:02:CD:FB:B6:EE:DA:33:05
206 | **************************************************************************************
207 | **************************************************************************************
208 | Alias name: certumec384ca
209 | Owner: CN=Certum EC-384 CA, OU=Certum Certification Authority, O=Asseco Data Systems S.A., C=PL
210 | Issuer: CN=Certum EC-384 CA, OU=Certum Certification Authority, O=Asseco Data Systems S.A., C=PL
211 | Valid from: Mon Mar 26 00:24:54 PDT 2018 until: Thu Mar 26 00:24:54 PDT 2043
212 | Certificate fingerprints:
213 | SHA1: F3:3E:78:3C:AC:DF:F4:A2:CC:AC:67:55:69:56:D7:E5:16:3C:E1:ED
214 | SHA256: 6B:32:80:85:62:53:18:AA:50:D1:73:C9:8D:8B:DA:09:D5:7E:27:41:3D:11:4C:F7:87:A0:F5:D0:6C:03:0C:F6
215 | **************************************************************************************
216 | **************************************************************************************
217 | Alias name: certumtrustednetworkca
218 | Owner: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
219 | Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
220 | Valid from: Wed Oct 22 05:07:37 PDT 2008 until: Mon Dec 31 04:07:37 PST 2029
221 | Certificate fingerprints:
222 | SHA1: 07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E
223 | SHA256: 5C:58:46:8D:55:F5:8E:49:7E:74:39:82:D2:B5:00:10:B6:D1:65:37:4A:CF:83:A7:D4:A3:2D:B7:68:C4:40:8E
224 | **************************************************************************************
225 | **************************************************************************************
226 | Alias name: certumtrustednetworkca2
227 | Owner: CN=Certum Trusted Network CA 2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
228 | Issuer: CN=Certum Trusted Network CA 2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
229 | Valid from: Thu Oct 06 01:39:56 PDT 2011 until: Sat Oct 06 01:39:56 PDT 2046
230 | Certificate fingerprints:
231 | SHA1: D3:DD:48:3E:2B:BF:4C:05:E8:AF:10:F5:FA:76:26:CF:D3:DC:30:92
232 | SHA256: B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04
233 | **************************************************************************************
234 | **************************************************************************************
235 | Alias name: certumtrustedrootca
236 | Owner: CN=Certum Trusted Root CA, OU=Certum Certification Authority, O=Asseco Data Systems S.A., C=PL
237 | Issuer: CN=Certum Trusted Root CA, OU=Certum Certification Authority, O=Asseco Data Systems S.A., C=PL
238 | Valid from: Fri Mar 16 05:10:13 PDT 2018 until: Mon Mar 16 05:10:13 PDT 2043
239 | Certificate fingerprints:
240 | SHA1: C8:83:44:C0:18:AE:9F:CC:F1:87:B7:8F:22:D1:C5:D7:45:84:BA:E5
241 | SHA256: FE:76:96:57:38:55:77:3E:37:A9:5E:7A:D4:D9:CC:96:C3:01:57:C1:5D:31:76:5B:A9:B1:57:04:E1:AE:78:FD
242 | **************************************************************************************
243 | **************************************************************************************
244 | Alias name: cfcaevroot
245 | Owner: CN=CFCA EV ROOT, O=China Financial Certification Authority, C=CN
246 | Issuer: CN=CFCA EV ROOT, O=China Financial Certification Authority, C=CN
247 | Valid from: Tue Aug 07 20:07:01 PDT 2012 until: Sun Dec 30 19:07:01 PST 2029
248 | Certificate fingerprints:
249 | SHA1: E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83
250 | SHA256: 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
251 | **************************************************************************************
252 | **************************************************************************************
253 | Alias name: comodoaaaservicesroot
254 | Owner: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
255 | Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
256 | Valid from: Wed Dec 31 16:00:00 PST 2003 until: Sun Dec 31 15:59:59 PST 2028
257 | Certificate fingerprints:
258 | SHA1: D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
259 | SHA256: D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
260 | **************************************************************************************
261 | **************************************************************************************
262 | Alias name: comodocertificationauthority
263 | Owner: CN=COMODO Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
264 | Issuer: CN=COMODO Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
265 | Valid from: Thu Nov 30 16:00:00 PST 2006 until: Mon Dec 31 15:59:59 PST 2029
266 | Certificate fingerprints:
267 | SHA1: 66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B
268 | SHA256: 0C:2C:D6:3D:F7:80:6F:A3:99:ED:E8:09:11:6B:57:5B:F8:79:89:F0:65:18:F9:80:8C:86:05:03:17:8B:AF:66
269 | **************************************************************************************
270 | **************************************************************************************
271 | Alias name: comodoecccertificationauthority
272 | Owner: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
273 | Issuer: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
274 | Valid from: Wed Mar 05 16:00:00 PST 2008 until: Mon Jan 18 15:59:59 PST 2038
275 | Certificate fingerprints:
276 | SHA1: 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11
277 | SHA256: 17:93:92:7A:06:14:54:97:89:AD:CE:2F:8F:34:F7:F0:B6:6D:0F:3A:E3:A3:B8:4D:21:EC:15:DB:BA:4F:AD:C7
278 | **************************************************************************************
279 | **************************************************************************************
280 | Alias name: comodorsacertificationauthority
281 | Owner: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
282 | Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
283 | Valid from: Mon Jan 18 16:00:00 PST 2010 until: Mon Jan 18 15:59:59 PST 2038
284 | Certificate fingerprints:
285 | SHA1: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
286 | SHA256: 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
287 | **************************************************************************************
288 | **************************************************************************************
289 | Alias name: cybertrustglobalroot
290 | Owner: CN=Cybertrust Global Root, O="Cybertrust, Inc"
291 | Issuer: CN=Cybertrust Global Root, O="Cybertrust, Inc"
292 | Valid from: Fri Dec 15 00:00:00 PST 2006 until: Wed Dec 15 00:00:00 PST 2021
293 | Certificate fingerprints:
294 | SHA1: 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6
295 | SHA256: 96:0A:DF:00:63:E9:63:56:75:0C:29:65:DD:0A:08:67:DA:0B:9C:BD:6E:77:71:4A:EA:FB:23:49:AB:39:3D:A3
296 | **************************************************************************************
297 | **************************************************************************************
298 | Alias name: digicertassuredidrootca
299 | Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
300 | Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
301 | Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031
302 | Certificate fingerprints:
303 | SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
304 | SHA256: 3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C
305 | **************************************************************************************
306 | **************************************************************************************
307 | Alias name: digicertassuredidrootg2
308 | Owner: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
309 | Issuer: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
310 | Valid from: Thu Aug 01 05:00:00 PDT 2013 until: Fri Jan 15 04:00:00 PST 2038
311 | Certificate fingerprints:
312 | SHA1: A1:4B:48:D9:43:EE:0A:0E:40:90:4F:3C:E0:A4:C0:91:93:51:5D:3F
313 | SHA256: 7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85
314 | **************************************************************************************
315 | **************************************************************************************
316 | Alias name: digicertassuredidrootg3
317 | Owner: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
318 | Issuer: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
319 | Valid from: Thu Aug 01 05:00:00 PDT 2013 until: Fri Jan 15 04:00:00 PST 2038
320 | Certificate fingerprints:
321 | SHA1: F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89
322 | SHA256: 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2
323 | **************************************************************************************
324 | **************************************************************************************
325 | Alias name: digicertglobalrootca
326 | Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
327 | Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
328 | Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031
329 | Certificate fingerprints:
330 | SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
331 | SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61
332 | **************************************************************************************
333 | **************************************************************************************
334 | Alias name: digicertglobalrootg2
335 | Owner: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
336 | Issuer: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
337 | Valid from: Thu Aug 01 05:00:00 PDT 2013 until: Fri Jan 15 04:00:00 PST 2038
338 | Certificate fingerprints:
339 | SHA1: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
340 | SHA256: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
341 | **************************************************************************************
342 | **************************************************************************************
343 | Alias name: digicertglobalrootg3
344 | Owner: CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
345 | Issuer: CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
346 | Valid from: Thu Aug 01 05:00:00 PDT 2013 until: Fri Jan 15 04:00:00 PST 2038
347 | Certificate fingerprints:
348 | SHA1: 7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E
349 | SHA256: 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0
350 | **************************************************************************************
351 | **************************************************************************************
352 | Alias name: digicerthighassuranceevrootca
353 | Owner: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
354 | Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
355 | Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031
356 | Certificate fingerprints:
357 | SHA1: 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25
358 | SHA256: 74:31:E5:F4:C3:C1:CE:46:90:77:4F:0B:61:E0:54:40:88:3B:A9:A0:1E:D0:0B:A6:AB:D7:80:6E:D3:B1:18:CF
359 | **************************************************************************************
360 | **************************************************************************************
361 | Alias name: digicerttrustedrootg4
362 | Owner: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
363 | Issuer: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
364 | Valid from: Thu Aug 01 05:00:00 PDT 2013 until: Fri Jan 15 04:00:00 PST 2038
365 | Certificate fingerprints:
366 | SHA1: DD:FB:16:CD:49:31:C9:73:A2:03:7D:3F:C8:3A:4D:7D:77:5D:05:E4
367 | SHA256: 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88
368 | **************************************************************************************
369 | **************************************************************************************
370 | Alias name: dtrustrootclass3ca22009
371 | Owner: CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
372 | Issuer: CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
373 | Valid from: Thu Nov 05 00:35:58 PST 2009 until: Mon Nov 05 00:35:58 PST 2029
374 | Certificate fingerprints:
375 | SHA1: 58:E8:AB:B0:36:15:33:FB:80:F7:9B:1B:6D:29:D3:FF:8D:5F:00:F0
376 | SHA256: 49:E7:A4:42:AC:F0:EA:62:87:05:00:54:B5:25:64:B6:50:E4:F4:9E:42:E3:48:D6:AA:38:E0:39:E9:57:B1:C1
377 | **************************************************************************************
378 | **************************************************************************************
379 | Alias name: dtrustrootclass3ca2ev2009
380 | Owner: CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE
381 | Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE
382 | Valid from: Thu Nov 05 00:50:46 PST 2009 until: Mon Nov 05 00:50:46 PST 2029
383 | Certificate fingerprints:
384 | SHA1: 96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83
385 | SHA256: EE:C5:49:6B:98:8C:E9:86:25:B9:34:09:2E:EC:29:08:BE:D0:B0:F3:16:C2:D4:73:0C:84:EA:F1:F3:D3:48:81
386 | **************************************************************************************
387 | **************************************************************************************
388 | Alias name: ecacc
389 | Owner: CN=EC-ACC, OU=Jerarquia Entitats de Certificacio Catalanes, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Serveis Publics de Certificacio, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), C=ES
390 | Issuer: CN=EC-ACC, OU=Jerarquia Entitats de Certificacio Catalanes, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Serveis Publics de Certificacio, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), C=ES
391 | Valid from: Tue Jan 07 15:00:00 PST 2003 until: Tue Jan 07 14:59:59 PST 2031
392 | Certificate fingerprints:
393 | SHA1: 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
394 | SHA256: 88:49:7F:01:60:2F:31:54:24:6A:E2:8C:4D:5A:EF:10:F1:D8:7E:BB:76:62:6F:4A:E0:B7:F9:5B:A7:96:87:99
395 | **************************************************************************************
396 | **************************************************************************************
397 | Alias name: emsigneccrootcac3
398 | Owner: CN=emSign ECC Root CA - C3, O=eMudhra Inc, OU=emSign PKI, C=US
399 | Issuer: CN=emSign ECC Root CA - C3, O=eMudhra Inc, OU=emSign PKI, C=US
400 | Valid from: Sun Feb 18 10:30:00 PST 2018 until: Wed Feb 18 10:30:00 PST 2043
401 | Certificate fingerprints:
402 | SHA1: B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66
403 | SHA256: BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3
404 | **************************************************************************************
405 | **************************************************************************************
406 | Alias name: emsigneccrootcag3
407 | Owner: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
408 | Issuer: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
409 | Valid from: Sun Feb 18 10:30:00 PST 2018 until: Wed Feb 18 10:30:00 PST 2043
410 | Certificate fingerprints:
411 | SHA1: 30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1
412 | SHA256: 86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B
413 | **************************************************************************************
414 | **************************************************************************************
415 | Alias name: emsignrootcac1
416 | Owner: CN=emSign Root CA - C1, O=eMudhra Inc, OU=emSign PKI, C=US
417 | Issuer: CN=emSign Root CA - C1, O=eMudhra Inc, OU=emSign PKI, C=US
418 | Valid from: Sun Feb 18 10:30:00 PST 2018 until: Wed Feb 18 10:30:00 PST 2043
419 | Certificate fingerprints:
420 | SHA1: E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01
421 | SHA256: 12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F
422 | **************************************************************************************
423 | **************************************************************************************
424 | Alias name: emsignrootcag1
425 | Owner: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
426 | Issuer: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
427 | Valid from: Sun Feb 18 10:30:00 PST 2018 until: Wed Feb 18 10:30:00 PST 2043
428 | Certificate fingerprints:
429 | SHA1: 8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C
430 | SHA256: 40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67
431 | **************************************************************************************
432 | **************************************************************************************
433 | Alias name: entrustnetpremium2048secureserverca
434 | Owner: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
435 | Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
436 | Valid from: Fri Dec 24 09:50:51 PST 1999 until: Tue Jul 24 07:15:12 PDT 2029
437 | Certificate fingerprints:
438 | SHA1: 50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31
439 | SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
440 | **************************************************************************************
441 | **************************************************************************************
442 | Alias name: entrustrootcertificationauthority
443 | Owner: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
444 | Issuer: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
445 | Valid from: Mon Nov 27 12:23:42 PST 2006 until: Fri Nov 27 12:53:42 PST 2026
446 | Certificate fingerprints:
447 | SHA1: B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
448 | SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
449 | **************************************************************************************
450 | **************************************************************************************
451 | Alias name: entrustrootcertificationauthorityec1
452 | Owner: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
453 | Issuer: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
454 | Valid from: Tue Dec 18 07:25:36 PST 2012 until: Fri Dec 18 07:55:36 PST 2037
455 | Certificate fingerprints:
456 | SHA1: 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
457 | SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
458 | **************************************************************************************
459 | **************************************************************************************
460 | Alias name: entrustrootcertificationauthorityg2
461 | Owner: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
462 | Issuer: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
463 | Valid from: Tue Jul 07 10:25:54 PDT 2009 until: Sat Dec 07 09:55:54 PST 2030
464 | Certificate fingerprints:
465 | SHA1: 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
466 | SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
467 | **************************************************************************************
468 | **************************************************************************************
469 | Alias name: entrustrootcertificationauthorityg4
470 | Owner: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
471 | Issuer: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
472 | Valid from: Wed May 27 04:11:16 PDT 2015 until: Sun Dec 27 03:41:16 PST 2037
473 | Certificate fingerprints:
474 | SHA1: 14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01
475 | SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
476 | **************************************************************************************
477 | **************************************************************************************
478 | Alias name: epkirootcertificationauthority
479 | Owner: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
480 | Issuer: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
481 | Valid from: Sun Dec 19 18:31:27 PST 2004 until: Tue Dec 19 18:31:27 PST 2034
482 | Certificate fingerprints:
483 | SHA1: 67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0
484 | SHA256: C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5
485 | **************************************************************************************
486 | **************************************************************************************
487 | Alias name: eszignorootca2017
488 | Owner: CN=e-Szigno Root CA 2017, OID.2.5.4.97=VATHU-23584497, O=Microsec Ltd., L=Budapest, C=HU
489 | Issuer: CN=e-Szigno Root CA 2017, OID.2.5.4.97=VATHU-23584497, O=Microsec Ltd., L=Budapest, C=HU
490 | Valid from: Tue Aug 22 05:07:06 PDT 2017 until: Fri Aug 22 05:07:06 PDT 2042
491 | Certificate fingerprints:
492 | SHA1: 89:D4:83:03:4F:9E:9A:48:80:5F:72:37:D4:A9:A6:EF:CB:7C:1F:D1
493 | SHA256: BE:B0:0B:30:83:9B:9B:C3:2C:32:E4:44:79:05:95:06:41:F2:64:21:B1:5E:D0:89:19:8B:51:8A:E2:EA:1B:99
494 | **************************************************************************************
495 | **************************************************************************************
496 | Alias name: etugracertificationauthority
497 | Owner: CN=E-Tugra Certification Authority, OU=E-Tugra Sertifikasyon Merkezi, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., L=Ankara, C=TR
498 | Issuer: CN=E-Tugra Certification Authority, OU=E-Tugra Sertifikasyon Merkezi, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., L=Ankara, C=TR
499 | Valid from: Tue Mar 05 04:09:48 PST 2013 until: Fri Mar 03 04:09:48 PST 2023
500 | Certificate fingerprints:
501 | SHA1: 51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39
502 | SHA256: B0:BF:D5:2B:B0:D7:D9:BD:92:BF:5D:4D:C1:3D:A2:55:C0:2C:54:2F:37:83:65:EA:89:39:11:F5:5E:55:F2:3C
503 | **************************************************************************************
504 | **************************************************************************************
505 | Alias name: gdcatrustauthr5root
506 | Owner: CN=GDCA TrustAUTH R5 ROOT, O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.", C=CN
507 | Issuer: CN=GDCA TrustAUTH R5 ROOT, O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.", C=CN
508 | Valid from: Tue Nov 25 21:13:15 PST 2014 until: Mon Dec 31 07:59:59 PST 2040
509 | Certificate fingerprints:
510 | SHA1: 0F:36:38:5B:81:1A:25:C3:9B:31:4E:83:CA:E9:34:66:70:CC:74:B4
511 | SHA256: BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93
512 | **************************************************************************************
513 | **************************************************************************************
514 | Alias name: globalsigneccrootcar4
515 | Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
516 | Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
517 | Valid from: Mon Nov 12 16:00:00 PST 2012 until: Mon Jan 18 19:14:07 PST 2038
518 | Certificate fingerprints:
519 | SHA1: 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
520 | SHA256: BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
521 | **************************************************************************************
522 | **************************************************************************************
523 | Alias name: globalsigneccrootcar5
524 | Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5
525 | Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5
526 | Valid from: Mon Nov 12 16:00:00 PST 2012 until: Mon Jan 18 19:14:07 PST 2038
527 | Certificate fingerprints:
528 | SHA1: 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA
529 | SHA256: 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
530 | **************************************************************************************
531 | **************************************************************************************
532 | Alias name: globalsignrootca
533 | Owner: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
534 | Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
535 | Valid from: Tue Sep 01 05:00:00 PDT 1998 until: Fri Jan 28 04:00:00 PST 2028
536 | Certificate fingerprints:
537 | SHA1: B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
538 | SHA256: EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
539 | **************************************************************************************
540 | **************************************************************************************
541 | Alias name: globalsignrootcar2
542 | Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
543 | Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
544 | Valid from: Fri Dec 15 00:00:00 PST 2006 until: Wed Dec 15 00:00:00 PST 2021
545 | Certificate fingerprints:
546 | SHA1: 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
547 | SHA256: CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E
548 | **************************************************************************************
549 | **************************************************************************************
550 | Alias name: globalsignrootcar3
551 | Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
552 | Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
553 | Valid from: Wed Mar 18 03:00:00 PDT 2009 until: Sun Mar 18 03:00:00 PDT 2029
554 | Certificate fingerprints:
555 | SHA1: D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD
556 | SHA256: CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B
557 | **************************************************************************************
558 | **************************************************************************************
559 | Alias name: globalsignrootcar6
560 | Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
561 | Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
562 | Valid from: Tue Dec 09 16:00:00 PST 2014 until: Sat Dec 09 16:00:00 PST 2034
563 | Certificate fingerprints:
564 | SHA1: 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1
565 | SHA256: 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69
566 | **************************************************************************************
567 | **************************************************************************************
568 | Alias name: globalsignroote46
569 | Owner: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
570 | Issuer: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
571 | Valid from: Tue Mar 19 17:00:00 PDT 2019 until: Mon Mar 19 17:00:00 PDT 2046
572 | Certificate fingerprints:
573 | SHA1: 39:B4:6C:D5:FE:80:06:EB:E2:2F:4A:BB:08:33:A0:AF:DB:B9:DD:84
574 | SHA256: CB:B9:C4:4D:84:B8:04:3E:10:50:EA:31:A6:9F:51:49:55:D7:BF:D2:E2:C6:B4:93:01:01:9A:D6:1D:9F:50:58
575 | **************************************************************************************
576 | **************************************************************************************
577 | Alias name: globalsignrootr46
578 | Owner: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
579 | Issuer: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
580 | Valid from: Tue Mar 19 17:00:00 PDT 2019 until: Mon Mar 19 17:00:00 PDT 2046
581 | Certificate fingerprints:
582 | SHA1: 53:A2:B0:4B:CA:6B:D6:45:E6:39:8A:8E:C4:0D:D2:BF:77:C3:A2:90
583 | SHA256: 4F:A3:12:6D:8D:3A:11:D1:C4:85:5A:4F:80:7C:BA:D6:CF:91:9D:3A:5A:88:B0:3B:EA:2C:63:72:D9:3C:40:C9
584 | **************************************************************************************
585 | **************************************************************************************
586 | Alias name: globaltrust2020
587 | Owner: CN=GLOBALTRUST 2020, O=e-commerce monitoring GmbH, C=AT
588 | Issuer: CN=GLOBALTRUST 2020, O=e-commerce monitoring GmbH, C=AT
589 | Valid from: Sun Feb 09 16:00:00 PST 2020 until: Sat Jun 09 17:00:00 PDT 2040
590 | Certificate fingerprints:
591 | SHA1: D0:67:C1:13:51:01:0C:AA:D0:C7:6A:65:37:31:16:26:4F:53:71:A2
592 | SHA256: 9A:29:6A:51:82:D1:D4:51:A2:E3:7F:43:9B:74:DA:AF:A2:67:52:33:29:F9:0F:9A:0D:20:07:C3:34:E2:3C:9A
593 | **************************************************************************************
594 | **************************************************************************************
595 | Alias name: godaddyclass2ca
596 | Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
597 | Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
598 | Valid from: Tue Jun 29 10:06:20 PDT 2004 until: Thu Jun 29 10:06:20 PDT 2034
599 | Certificate fingerprints:
600 | SHA1: 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
601 | SHA256: C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4
602 | **************************************************************************************
603 | **************************************************************************************
604 | Alias name: godaddyrootcertificateauthorityg2
605 | Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
606 | Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
607 | Valid from: Mon Aug 31 17:00:00 PDT 2009 until: Thu Dec 31 15:59:59 PST 2037
608 | Certificate fingerprints:
609 | SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
610 | SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA
611 | **************************************************************************************
612 | **************************************************************************************
613 | Alias name: gtsrootr1
614 | Owner: CN=GTS Root R1, O=Google Trust Services LLC, C=US
615 | Issuer: CN=GTS Root R1, O=Google Trust Services LLC, C=US
616 | Valid from: Tue Jun 21 17:00:00 PDT 2016 until: Sat Jun 21 17:00:00 PDT 2036
617 | Certificate fingerprints:
618 | SHA1: E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8
619 | SHA256: 2A:57:54:71:E3:13:40:BC:21:58:1C:BD:2C:F1:3E:15:84:63:20:3E:CE:94:BC:F9:D3:CC:19:6B:F0:9A:54:72
620 | **************************************************************************************
621 | **************************************************************************************
622 | Alias name: gtsrootr2
623 | Owner: CN=GTS Root R2, O=Google Trust Services LLC, C=US
624 | Issuer: CN=GTS Root R2, O=Google Trust Services LLC, C=US
625 | Valid from: Tue Jun 21 17:00:00 PDT 2016 until: Sat Jun 21 17:00:00 PDT 2036
626 | Certificate fingerprints:
627 | SHA1: D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D
628 | SHA256: C4:5D:7B:B0:8E:6D:67:E6:2E:42:35:11:0B:56:4E:5F:78:FD:92:EF:05:8C:84:0A:EA:4E:64:55:D7:58:5C:60
629 | **************************************************************************************
630 | **************************************************************************************
631 | Alias name: gtsrootr3
632 | Owner: CN=GTS Root R3, O=Google Trust Services LLC, C=US
633 | Issuer: CN=GTS Root R3, O=Google Trust Services LLC, C=US
634 | Valid from: Tue Jun 21 17:00:00 PDT 2016 until: Sat Jun 21 17:00:00 PDT 2036
635 | Certificate fingerprints:
636 | SHA1: 30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5
637 | SHA256: 15:D5:B8:77:46:19:EA:7D:54:CE:1C:A6:D0:B0:C4:03:E0:37:A9:17:F1:31:E8:A0:4E:1E:6B:7A:71:BA:BC:E5
638 | **************************************************************************************
639 | **************************************************************************************
640 | Alias name: gtsrootr4
641 | Owner: CN=GTS Root R4, O=Google Trust Services LLC, C=US
642 | Issuer: CN=GTS Root R4, O=Google Trust Services LLC, C=US
643 | Valid from: Tue Jun 21 17:00:00 PDT 2016 until: Sat Jun 21 17:00:00 PDT 2036
644 | Certificate fingerprints:
645 | SHA1: 2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB
646 | SHA256: 71:CC:A5:39:1F:9E:79:4B:04:80:25:30:B3:63:E1:21:DA:8A:30:43:BB:26:66:2F:EA:4D:CA:7F:C9:51:A4:BD
647 | **************************************************************************************
648 | **************************************************************************************
649 | Alias name: haricatlseccrootca2021
650 | Owner: CN=HARICA TLS ECC Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
651 | Issuer: CN=HARICA TLS ECC Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
652 | Valid from: Fri Feb 19 03:01:10 PST 2021 until: Mon Feb 13 03:01:09 PST 2045
653 | Certificate fingerprints:
654 | SHA1: BC:B0:C1:9D:E9:98:92:70:19:38:57:E9:8D:A7:B4:5D:6E:EE:01:48
655 | SHA256: 3F:99:CC:47:4A:CF:CE:4D:FE:D5:87:94:66:5E:47:8D:15:47:73:9F:2E:78:0F:1B:B4:CA:9B:13:30:97:D4:01
656 | **************************************************************************************
657 | **************************************************************************************
658 | Alias name: haricatlsrsarootca2021
659 | Owner: CN=HARICA TLS RSA Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
660 | Issuer: CN=HARICA TLS RSA Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR
661 | Valid from: Fri Feb 19 02:55:38 PST 2021 until: Mon Feb 13 02:55:37 PST 2045
662 | Certificate fingerprints:
663 | SHA1: 02:2D:05:82:FA:88:CE:14:0C:06:79:DE:7F:14:10:E9:45:D7:A5:6D
664 | SHA256: D9:5D:0E:8E:DA:79:52:5B:F9:BE:B1:1B:14:D2:10:0D:32:94:98:5F:0C:62:D9:FA:BD:9C:D9:99:EC:CB:7B:1D
665 | **************************************************************************************
666 | **************************************************************************************
667 | Alias name: hellenicacademicandresearchinstitutionseccrootca2015
668 | Owner: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
669 | Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
670 | Valid from: Tue Jul 07 03:37:12 PDT 2015 until: Sat Jun 30 03:37:12 PDT 2040
671 | Certificate fingerprints:
672 | SHA1: 9F:F1:71:8D:92:D5:9A:F3:7D:74:97:B4:BC:6F:84:68:0B:BA:B6:66
673 | SHA256: 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33
674 | **************************************************************************************
675 | **************************************************************************************
676 | Alias name: hellenicacademicandresearchinstitutionsrootca2011
677 | Owner: CN=Hellenic Academic and Research Institutions RootCA 2011, O=Hellenic Academic and Research Institutions Cert. Authority, C=GR
678 | Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011, O=Hellenic Academic and Research Institutions Cert. Authority, C=GR
679 | Valid from: Tue Dec 06 05:49:52 PST 2011 until: Mon Dec 01 05:49:52 PST 2031
680 | Certificate fingerprints:
681 | SHA1: FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D
682 | SHA256: BC:10:4F:15:A4:8B:E7:09:DC:A5:42:A7:E1:D4:B9:DF:6F:05:45:27:E8:02:EA:A9:2D:59:54:44:25:8A:FE:71
683 | **************************************************************************************
684 | **************************************************************************************
685 | Alias name: hellenicacademicandresearchinstitutionsrootca2015
686 | Owner: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
687 | Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
688 | Valid from: Tue Jul 07 03:11:21 PDT 2015 until: Sat Jun 30 03:11:21 PDT 2040
689 | Certificate fingerprints:
690 | SHA1: 01:0C:06:95:A6:98:19:14:FF:BF:5F:C6:B0:B6:95:EA:29:E9:12:A6
691 | SHA256: A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36
692 | **************************************************************************************
693 | **************************************************************************************
694 | Alias name: hongkongpostrootca1
695 | Owner: CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK
696 | Issuer: CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK
697 | Valid from: Wed May 14 22:13:14 PDT 2003 until: Sun May 14 21:52:29 PDT 2023
698 | Certificate fingerprints:
699 | SHA1: D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58
700 | SHA256: F9:E6:7D:33:6C:51:00:2A:C0:54:C6:32:02:2D:66:DD:A2:E7:E3:FF:F1:0A:D0:61:ED:31:D8:BB:B4:10:CF:B2
701 | **************************************************************************************
702 | **************************************************************************************
703 | Alias name: hongkongpostrootca3
704 | Owner: CN=Hongkong Post Root CA 3, O=Hongkong Post, L=Hong Kong, ST=Hong Kong, C=HK
705 | Issuer: CN=Hongkong Post Root CA 3, O=Hongkong Post, L=Hong Kong, ST=Hong Kong, C=HK
706 | Valid from: Fri Jun 02 19:29:46 PDT 2017 until: Mon Jun 02 19:29:46 PDT 2042
707 | Certificate fingerprints:
708 | SHA1: 58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02
709 | SHA256: 5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6
710 | **************************************************************************************
711 | **************************************************************************************
712 | Alias name: identrustcommercialrootca1
713 | Owner: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
714 | Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
715 | Valid from: Thu Jan 16 10:12:23 PST 2014 until: Mon Jan 16 10:12:23 PST 2034
716 | Certificate fingerprints:
717 | SHA1: DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
718 | SHA256: 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
719 | **************************************************************************************
720 | **************************************************************************************
721 | Alias name: identrustpublicsectorrootca1
722 | Owner: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
723 | Issuer: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
724 | Valid from: Thu Jan 16 09:53:32 PST 2014 until: Mon Jan 16 09:53:32 PST 2034
725 | Certificate fingerprints:
726 | SHA1: BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD
727 | SHA256: 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
728 | **************************************************************************************
729 | **************************************************************************************
730 | Alias name: isrgrootx1
731 | Owner: CN=ISRG Root X1, O=Internet Security Research Group, C=US
732 | Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
733 | Valid from: Thu Jun 04 04:04:38 PDT 2015 until: Mon Jun 04 04:04:38 PDT 2035
734 | Certificate fingerprints:
735 | SHA1: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
736 | SHA256: 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
737 | **************************************************************************************
738 | **************************************************************************************
739 | Alias name: izenpecom
740 | Owner: CN=Izenpe.com, O=IZENPE S.A., C=ES
741 | Issuer: CN=Izenpe.com, O=IZENPE S.A., C=ES
742 | Valid from: Thu Dec 13 05:08:28 PST 2007 until: Sun Dec 13 00:27:25 PST 2037
743 | Certificate fingerprints:
744 | SHA1: 2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19
745 | SHA256: 25:30:CC:8E:98:32:15:02:BA:D9:6F:9B:1F:BA:1B:09:9E:2D:29:9E:0F:45:48:BB:91:4F:36:3B:C0:D4:53:1F
746 | **************************************************************************************
747 | **************************************************************************************
748 | Alias name: microseceszignorootca2009
749 | Owner: EMAILADDRESS=info@e-szigno.hu, CN=Microsec e-Szigno Root CA 2009, O=Microsec Ltd., L=Budapest, C=HU
750 | Issuer: EMAILADDRESS=info@e-szigno.hu, CN=Microsec e-Szigno Root CA 2009, O=Microsec Ltd., L=Budapest, C=HU
751 | Valid from: Tue Jun 16 04:30:18 PDT 2009 until: Sun Dec 30 03:30:18 PST 2029
752 | Certificate fingerprints:
753 | SHA1: 89:DF:74:FE:5C:F4:0F:4A:80:F9:E3:37:7D:54:DA:91:E1:01:31:8E
754 | SHA256: 3C:5F:81:FE:A5:FA:B8:2C:64:BF:A2:EA:EC:AF:CD:E8:E0:77:FC:86:20:A7:CA:E5:37:16:3D:F3:6E:DB:F3:78
755 | RFC822Name: info@e-szigno.hu
756 | **************************************************************************************
757 | **************************************************************************************
758 | Alias name: microsofteccrootcertificateauthority2017
759 | Owner: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
760 | Issuer: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
761 | Valid from: Wed Dec 18 15:06:45 PST 2019 until: Fri Jul 18 16:16:04 PDT 2042
762 | Certificate fingerprints:
763 | SHA1: 99:9A:64:C3:7F:F4:7D:9F:AB:95:F1:47:69:89:14:60:EE:C4:C3:C5
764 | SHA256: 35:8D:F3:9D:76:4A:F9:E1:B7:66:E9:C9:72:DF:35:2E:E1:5C:FA:C2:27:AF:6A:D1:D7:0E:8E:4A:6E:DC:BA:02
765 | **************************************************************************************
766 | **************************************************************************************
767 | Alias name: microsoftrsarootcertificateauthority2017
768 | Owner: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
769 | Issuer: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
770 | Valid from: Wed Dec 18 14:51:22 PST 2019 until: Fri Jul 18 16:00:23 PDT 2042
771 | Certificate fingerprints:
772 | SHA1: 73:A5:E6:4A:3B:FF:83:16:FF:0E:DC:CC:61:8A:90:6E:4E:AE:4D:74
773 | SHA256: C7:41:F7:0F:4B:2A:8D:88:BF:2E:71:C1:41:22:EF:53:EF:10:EB:A0:CF:A5:E6:4C:FA:20:F4:18:85:30:73:E0
774 | **************************************************************************************
775 | **************************************************************************************
776 | Alias name: naverglobalrootcertificationauthority
777 | Owner: CN=NAVER Global Root Certification Authority, O=NAVER BUSINESS PLATFORM Corp., C=KR
778 | Issuer: CN=NAVER Global Root Certification Authority, O=NAVER BUSINESS PLATFORM Corp., C=KR
779 | Valid from: Fri Aug 18 01:58:42 PDT 2017 until: Tue Aug 18 16:59:59 PDT 2037
780 | Certificate fingerprints:
781 | SHA1: 8F:6B:F2:A9:27:4A:DA:14:A0:C4:F4:8E:61:27:F9:C0:1E:78:5D:D1
782 | SHA256: 88:F4:38:DC:F8:FF:D1:FA:8F:42:91:15:FF:E5:F8:2A:E1:E0:6E:0C:70:C3:75:FA:AD:71:7B:34:A4:9E:72:65
783 | **************************************************************************************
784 | **************************************************************************************
785 | Alias name: netlockaranyclassgoldfotanusitvany
786 | Owner: CN=NetLock Arany (Class Gold) Főtanúsítvány, OU=Tanúsítványkiadók (Certification Services), O=NetLock Kft., L=Budapest, C=HU
787 | Issuer: CN=NetLock Arany (Class Gold) Főtanúsítvány, OU=Tanúsítványkiadók (Certification Services), O=NetLock Kft., L=Budapest, C=HU
788 | Valid from: Thu Dec 11 07:08:21 PST 2008 until: Wed Dec 06 07:08:21 PST 2028
789 | Certificate fingerprints:
790 | SHA1: 06:08:3F:59:3F:15:A1:04:A0:69:A4:6B:A9:03:D0:06:B7:97:09:91
791 | SHA256: 6C:61:DA:C3:A2:DE:F0:31:50:6B:E0:36:D2:A6:FE:40:19:94:FB:D1:3D:F9:C8:D4:66:59:92:74:C4:46:EC:98
792 | **************************************************************************************
793 | **************************************************************************************
794 | Alias name: networksolutionscertificateauthority
795 | Owner: CN=Network Solutions Certificate Authority, O=Network Solutions L.L.C., C=US
796 | Issuer: CN=Network Solutions Certificate Authority, O=Network Solutions L.L.C., C=US
797 | Valid from: Thu Nov 30 16:00:00 PST 2006 until: Mon Dec 31 15:59:59 PST 2029
798 | Certificate fingerprints:
799 | SHA1: 74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE
800 | SHA256: 15:F0:BA:00:A3:AC:7A:F3:AC:88:4C:07:2B:10:11:A0:77:BD:77:C0:97:F4:01:64:B2:F8:59:8A:BD:83:86:0C
801 | **************************************************************************************
802 | **************************************************************************************
803 | Alias name: oistewisekeyglobalrootgbca
804 | Owner: CN=OISTE WISeKey Global Root GB CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH
805 | Issuer: CN=OISTE WISeKey Global Root GB CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH
806 | Valid from: Mon Dec 01 07:00:32 PST 2014 until: Thu Dec 01 07:10:31 PST 2039
807 | Certificate fingerprints:
808 | SHA1: 0F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED
809 | SHA256: 6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6
810 | **************************************************************************************
811 | **************************************************************************************
812 | Alias name: oistewisekeyglobalrootgcca
813 | Owner: CN=OISTE WISeKey Global Root GC CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH
814 | Issuer: CN=OISTE WISeKey Global Root GC CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH
815 | Valid from: Tue May 09 02:48:34 PDT 2017 until: Fri May 09 02:58:33 PDT 2042
816 | Certificate fingerprints:
817 | SHA1: E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31
818 | SHA256: 85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D
819 | **************************************************************************************
820 | **************************************************************************************
821 | Alias name: quovadisrootca1g3
822 | Owner: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
823 | Issuer: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
824 | Valid from: Thu Jan 12 09:27:44 PST 2012 until: Sun Jan 12 09:27:44 PST 2042
825 | Certificate fingerprints:
826 | SHA1: 1B:8E:EA:57:96:29:1A:C9:39:EA:B8:0A:81:1A:73:73:C0:93:79:67
827 | SHA256: 8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74
828 | **************************************************************************************
829 | **************************************************************************************
830 | Alias name: quovadisrootca2
831 | Owner: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
832 | Issuer: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
833 | Valid from: Fri Nov 24 10:27:00 PST 2006 until: Mon Nov 24 10:23:33 PST 2031
834 | Certificate fingerprints:
835 | SHA1: CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7
836 | SHA256: 85:A0:DD:7D:D7:20:AD:B7:FF:05:F8:3D:54:2B:20:9D:C7:FF:45:28:F7:D6:77:B1:83:89:FE:A5:E5:C4:9E:86
837 | **************************************************************************************
838 | **************************************************************************************
839 | Alias name: quovadisrootca2g3
840 | Owner: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
841 | Issuer: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
842 | Valid from: Thu Jan 12 10:59:32 PST 2012 until: Sun Jan 12 10:59:32 PST 2042
843 | Certificate fingerprints:
844 | SHA1: 09:3C:61:F3:8B:8B:DC:7D:55:DF:75:38:02:05:00:E1:25:F5:C8:36
845 | SHA256: 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40
846 | **************************************************************************************
847 | **************************************************************************************
848 | Alias name: quovadisrootca3
849 | Owner: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
850 | Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
851 | Valid from: Fri Nov 24 11:11:23 PST 2006 until: Mon Nov 24 11:06:44 PST 2031
852 | Certificate fingerprints:
853 | SHA1: 1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85
854 | SHA256: 18:F1:FC:7F:20:5D:F8:AD:DD:EB:7F:E0:07:DD:57:E3:AF:37:5A:9C:4D:8D:73:54:6B:F4:F1:FE:D1:E1:8D:35
855 | **************************************************************************************
856 | **************************************************************************************
857 | Alias name: quovadisrootca3g3
858 | Owner: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
859 | Issuer: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
860 | Valid from: Thu Jan 12 12:26:32 PST 2012 until: Sun Jan 12 12:26:32 PST 2042
861 | Certificate fingerprints:
862 | SHA1: 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
863 | SHA256: 88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46
864 | **************************************************************************************
865 | **************************************************************************************
866 | Alias name: secureglobalca
867 | Owner: CN=Secure Global CA, O=SecureTrust Corporation, C=US
868 | Issuer: CN=Secure Global CA, O=SecureTrust Corporation, C=US
869 | Valid from: Tue Nov 07 11:42:28 PST 2006 until: Mon Dec 31 11:52:06 PST 2029
870 | Certificate fingerprints:
871 | SHA1: 3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B
872 | SHA256: 42:00:F5:04:3A:C8:59:0E:BB:52:7D:20:9E:D1:50:30:29:FB:CB:D4:1C:A1:B5:06:EC:27:F1:5A:DE:7D:AC:69
873 | **************************************************************************************
874 | **************************************************************************************
875 | Alias name: securesignrootca11
876 | Owner: CN=SecureSign RootCA11, O="Japan Certification Services, Inc.", C=JP
877 | Issuer: CN=SecureSign RootCA11, O="Japan Certification Services, Inc.", C=JP
878 | Valid from: Tue Apr 07 21:56:47 PDT 2009 until: Sat Apr 07 21:56:47 PDT 2029
879 | Certificate fingerprints:
880 | SHA1: 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3
881 | SHA256: BF:0F:EE:FB:9E:3A:58:1A:D5:F9:E9:DB:75:89:98:57:43:D2:61:08:5C:4D:31:4F:6F:5D:72:59:AA:42:16:12
882 | **************************************************************************************
883 | **************************************************************************************
884 | Alias name: securetrustca
885 | Owner: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
886 | Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
887 | Valid from: Tue Nov 07 11:31:18 PST 2006 until: Mon Dec 31 11:40:55 PST 2029
888 | Certificate fingerprints:
889 | SHA1: 87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
890 | SHA256: F1:C1:B5:0A:E5:A2:0D:D8:03:0E:C9:F6:BC:24:82:3D:D3:67:B5:25:57:59:B4:E7:1B:61:FC:E9:F7:37:5D:73
891 | **************************************************************************************
892 | **************************************************************************************
893 | Alias name: securitycommunicationrootca
894 | Owner: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
895 | Issuer: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
896 | Valid from: Mon Sep 29 21:20:49 PDT 2003 until: Fri Sep 29 21:20:49 PDT 2023
897 | Certificate fingerprints:
898 | SHA1: 36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7
899 | SHA256: E7:5E:72:ED:9F:56:0E:EC:6E:B4:80:00:73:A4:3F:C3:AD:19:19:5A:39:22:82:01:78:95:97:4A:99:02:6B:6C
900 | **************************************************************************************
901 | **************************************************************************************
902 | Alias name: securitycommunicationrootca2
903 | Owner: OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
904 | Issuer: OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
905 | Valid from: Thu May 28 22:00:39 PDT 2009 until: Mon May 28 22:00:39 PDT 2029
906 | Certificate fingerprints:
907 | SHA1: 5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74
908 | SHA256: 51:3B:2C:EC:B8:10:D4:CD:E5:DD:85:39:1A:DF:C6:C2:DD:60:D8:7B:B7:36:D2:B5:21:48:4A:A4:7A:0E:BE:F6
909 | **************************************************************************************
910 | **************************************************************************************
911 | Alias name: sslcomevrootcertificationauthorityecc
912 | Owner: CN=SSL.com EV Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
913 | Issuer: CN=SSL.com EV Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
914 | Valid from: Fri Feb 12 10:15:23 PST 2016 until: Tue Feb 12 10:15:23 PST 2041
915 | Certificate fingerprints:
916 | SHA1: 4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D
917 | SHA256: 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8
918 | **************************************************************************************
919 | **************************************************************************************
920 | Alias name: sslcomevrootcertificationauthorityrsar2
921 | Owner: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
922 | Issuer: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
923 | Valid from: Wed May 31 11:14:37 PDT 2017 until: Fri May 30 11:14:37 PDT 2042
924 | Certificate fingerprints:
925 | SHA1: 74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A
926 | SHA256: 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C
927 | **************************************************************************************
928 | **************************************************************************************
929 | Alias name: sslcomrootcertificationauthorityecc
930 | Owner: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
931 | Issuer: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
932 | Valid from: Fri Feb 12 10:14:03 PST 2016 until: Tue Feb 12 10:14:03 PST 2041
933 | Certificate fingerprints:
934 | SHA1: C3:19:7C:39:24:E6:54:AF:1B:C4:AB:20:95:7A:E2:C3:0E:13:02:6A
935 | SHA256: 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65
936 | **************************************************************************************
937 | **************************************************************************************
938 | Alias name: sslcomrootcertificationauthorityrsa
939 | Owner: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
940 | Issuer: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
941 | Valid from: Fri Feb 12 09:39:39 PST 2016 until: Tue Feb 12 09:39:39 PST 2041
942 | Certificate fingerprints:
943 | SHA1: B7:AB:33:08:D1:EA:44:77:BA:14:80:12:5A:6F:BD:A9:36:49:0C:BB
944 | SHA256: 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69
945 | **************************************************************************************
946 | **************************************************************************************
947 | Alias name: staatdernederlandenevrootca
948 | Owner: CN=Staat der Nederlanden EV Root CA, O=Staat der Nederlanden, C=NL
949 | Issuer: CN=Staat der Nederlanden EV Root CA, O=Staat der Nederlanden, C=NL
950 | Valid from: Wed Dec 08 03:19:29 PST 2010 until: Thu Dec 08 03:10:28 PST 2022
951 | Certificate fingerprints:
952 | SHA1: 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
953 | SHA256: 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
954 | **************************************************************************************
955 | **************************************************************************************
956 | Alias name: starfieldclass2ca
957 | Owner: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
958 | Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
959 | Valid from: Tue Jun 29 10:39:16 PDT 2004 until: Thu Jun 29 10:39:16 PDT 2034
960 | Certificate fingerprints:
961 | SHA1: AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
962 | SHA256: 14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58
963 | **************************************************************************************
964 | **************************************************************************************
965 | Alias name: starfieldrootcertificateauthorityg2
966 | Owner: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
967 | Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
968 | Valid from: Mon Aug 31 17:00:00 PDT 2009 until: Thu Dec 31 15:59:59 PST 2037
969 | Certificate fingerprints:
970 | SHA1: B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E
971 | SHA256: 2C:E1:CB:0B:F9:D2:F9:E1:02:99:3F:BE:21:51:52:C3:B2:DD:0C:AB:DE:1C:68:E5:31:9B:83:91:54:DB:B7:F5
972 | **************************************************************************************
973 | **************************************************************************************
974 | Alias name: starfieldservicesrootcertificateauthorityg2
975 | Owner: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
976 | Issuer: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
977 | Valid from: Mon Aug 31 17:00:00 PDT 2009 until: Thu Dec 31 15:59:59 PST 2037
978 | Certificate fingerprints:
979 | SHA1: 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
980 | SHA256: 56:8D:69:05:A2:C8:87:08:A4:B3:02:51:90:ED:CF:ED:B1:97:4A:60:6A:13:C6:E5:29:0F:CB:2A:E6:3E:DA:B5
981 | **************************************************************************************
982 | **************************************************************************************
983 | Alias name: swisssigngoldcag2
984 | Owner: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
985 | Issuer: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
986 | Valid from: Wed Oct 25 01:30:35 PDT 2006 until: Sat Oct 25 01:30:35 PDT 2036
987 | Certificate fingerprints:
988 | SHA1: D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
989 | SHA256: 62:DD:0B:E9:B9:F5:0A:16:3E:A0:F8:E7:5C:05:3B:1E:CA:57:EA:55:C8:68:8F:64:7C:68:81:F2:C8:35:7B:95
990 | **************************************************************************************
991 | **************************************************************************************
992 | Alias name: swisssignsilvercag2
993 | Owner: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
994 | Issuer: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
995 | Valid from: Wed Oct 25 01:32:46 PDT 2006 until: Sat Oct 25 01:32:46 PDT 2036
996 | Certificate fingerprints:
997 | SHA1: 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB
998 | SHA256: BE:6C:4D:A2:BB:B9:BA:59:B6:F3:93:97:68:37:42:46:C3:C0:05:99:3F:A9:8F:02:0D:1D:ED:BE:D4:8A:81:D5
999 | **************************************************************************************
1000 | **************************************************************************************
1001 | Alias name: szafirrootca2
1002 | Owner: CN=SZAFIR ROOT CA2, O=Krajowa Izba Rozliczeniowa S.A., C=PL
1003 | Issuer: CN=SZAFIR ROOT CA2, O=Krajowa Izba Rozliczeniowa S.A., C=PL
1004 | Valid from: Mon Oct 19 00:43:30 PDT 2015 until: Fri Oct 19 00:43:30 PDT 2035
1005 | Certificate fingerprints:
1006 | SHA1: E2:52:FA:95:3F:ED:DB:24:60:BD:6E:28:F3:9C:CC:CF:5E:B3:3F:DE
1007 | SHA256: A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE
1008 | **************************************************************************************
1009 | **************************************************************************************
1010 | Alias name: teliasonerarootcav1
1011 | Owner: CN=TeliaSonera Root CA v1, O=TeliaSonera
1012 | Issuer: CN=TeliaSonera Root CA v1, O=TeliaSonera
1013 | Valid from: Thu Oct 18 05:00:50 PDT 2007 until: Mon Oct 18 05:00:50 PDT 2032
1014 | Certificate fingerprints:
1015 | SHA1: 43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37
1016 | SHA256: DD:69:36:FE:21:F8:F0:77:C1:23:A1:A5:21:C1:22:24:F7:22:55:B7:3E:03:A7:26:06:93:E8:A2:4B:0F:A3:89
1017 | **************************************************************************************
1018 | **************************************************************************************
1019 | Alias name: trustcoreca1
1020 | Owner: CN=TrustCor ECA-1, OU=TrustCor Certificate Authority, O=TrustCor Systems S. de R.L., L=Panama City, ST=Panama, C=PA
1021 | Issuer: CN=TrustCor ECA-1, OU=TrustCor Certificate Authority, O=TrustCor Systems S. de R.L., L=Panama City, ST=Panama, C=PA
1022 | Valid from: Thu Feb 04 04:32:33 PST 2016 until: Mon Dec 31 09:28:07 PST 2029
1023 | Certificate fingerprints:
1024 | SHA1: 58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD
1025 | SHA256: 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C
1026 | **************************************************************************************
1027 | **************************************************************************************
1028 | Alias name: trustcorrootcertca1
1029 | Owner: CN=TrustCor RootCert CA-1, OU=TrustCor Certificate Authority, O=TrustCor Systems S. de R.L., L=Panama City, ST=Panama, C=PA
1030 | Issuer: CN=TrustCor RootCert CA-1, OU=TrustCor Certificate Authority, O=TrustCor Systems S. de R.L., L=Panama City, ST=Panama, C=PA
1031 | Valid from: Thu Feb 04 04:32:16 PST 2016 until: Mon Dec 31 09:23:16 PST 2029
1032 | Certificate fingerprints:
1033 | SHA1: FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A
1034 | SHA256: D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C
1035 | **************************************************************************************
1036 | **************************************************************************************
1037 | Alias name: trustcorrootcertca2
1038 | Owner: CN=TrustCor RootCert CA-2, OU=TrustCor Certificate Authority, O=TrustCor Systems S. de R.L., L=Panama City, ST=Panama, C=PA
1039 | Issuer: CN=TrustCor RootCert CA-2, OU=TrustCor Certificate Authority, O=TrustCor Systems S. de R.L., L=Panama City, ST=Panama, C=PA
1040 | Valid from: Thu Feb 04 04:32:23 PST 2016 until: Sun Dec 31 09:26:39 PST 2034
1041 | Certificate fingerprints:
1042 | SHA1: B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0
1043 | SHA256: 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65
1044 | **************************************************************************************
1045 | **************************************************************************************
1046 | Alias name: trustwaveglobalcertificationauthority
1047 | Owner: CN=Trustwave Global Certification Authority, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US
1048 | Issuer: CN=Trustwave Global Certification Authority, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US
1049 | Valid from: Wed Aug 23 12:34:12 PDT 2017 until: Sat Aug 23 12:34:12 PDT 2042
1050 | Certificate fingerprints:
1051 | SHA1: 2F:8F:36:4F:E1:58:97:44:21:59:87:A5:2A:9A:D0:69:95:26:7F:B5
1052 | SHA256: 97:55:20:15:F5:DD:FC:3C:87:88:C0:06:94:45:55:40:88:94:45:00:84:F1:00:86:70:86:BC:1A:2B:B5:8D:C8
1053 | **************************************************************************************
1054 | **************************************************************************************
1055 | Alias name: trustwaveglobaleccp256certificationauthority
1056 | Owner: CN=Trustwave Global ECC P256 Certification Authority, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US
1057 | Issuer: CN=Trustwave Global ECC P256 Certification Authority, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US
1058 | Valid from: Wed Aug 23 12:35:10 PDT 2017 until: Sat Aug 23 12:35:10 PDT 2042
1059 | Certificate fingerprints:
1060 | SHA1: B4:90:82:DD:45:0C:BE:8B:5B:B1:66:D3:E2:A4:08:26:CD:ED:42:CF
1061 | SHA256: 94:5B:BC:82:5E:A5:54:F4:89:D1:FD:51:A7:3D:DF:2E:A6:24:AC:70:19:A0:52:05:22:5C:22:A7:8C:CF:A8:B4
1062 | **************************************************************************************
1063 | **************************************************************************************
1064 | Alias name: trustwaveglobaleccp384certificationauthority
1065 | Owner: CN=Trustwave Global ECC P384 Certification Authority, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US
1066 | Issuer: CN=Trustwave Global ECC P384 Certification Authority, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US
1067 | Valid from: Wed Aug 23 12:36:43 PDT 2017 until: Sat Aug 23 12:36:43 PDT 2042
1068 | Certificate fingerprints:
1069 | SHA1: E7:F3:A3:C8:CF:6F:C3:04:2E:6D:0E:67:32:C5:9E:68:95:0D:5E:D2
1070 | SHA256: 55:90:38:59:C8:C0:C3:EB:B8:75:9E:CE:4E:25:57:22:5F:F5:75:8B:BD:38:EB:D4:82:76:60:1E:1B:D5:80:97
1071 | **************************************************************************************
1072 | **************************************************************************************
1073 | Alias name: ttelesecglobalrootclass2
1074 | Owner: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
1075 | Issuer: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
1076 | Valid from: Wed Oct 01 03:40:14 PDT 2008 until: Sat Oct 01 16:59:59 PDT 2033
1077 | Certificate fingerprints:
1078 | SHA1: 59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9
1079 | SHA256: 91:E2:F5:78:8D:58:10:EB:A7:BA:58:73:7D:E1:54:8A:8E:CA:CD:01:45:98:BC:0B:14:3E:04:1B:17:05:25:52
1080 | **************************************************************************************
1081 | **************************************************************************************
1082 | Alias name: ttelesecglobalrootclass3
1083 | Owner: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
1084 | Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
1085 | Valid from: Wed Oct 01 03:29:56 PDT 2008 until: Sat Oct 01 16:59:59 PDT 2033
1086 | Certificate fingerprints:
1087 | SHA1: 55:A6:72:3E:CB:F2:EC:CD:C3:23:74:70:19:9D:2A:BE:11:E3:81:D1
1088 | SHA256: FD:73:DA:D3:1C:64:4F:F1:B4:3B:EF:0C:CD:DA:96:71:0B:9C:D9:87:5E:CA:7E:31:70:7A:F3:E9:6D:52:2B:BD
1089 | **************************************************************************************
1090 | **************************************************************************************
1091 | Alias name: tubitakkamusmsslkoksertifikasisurum1
1092 | Owner: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1, OU=Kamu Sertifikasyon Merkezi - Kamu SM, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, L=Gebze - Kocaeli, C=TR
1093 | Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1, OU=Kamu Sertifikasyon Merkezi - Kamu SM, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, L=Gebze - Kocaeli, C=TR
1094 | Valid from: Mon Nov 25 00:25:55 PST 2013 until: Sun Oct 25 01:25:55 PDT 2043
1095 | Certificate fingerprints:
1096 | SHA1: 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
1097 | SHA256: 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
1098 | **************************************************************************************
1099 | **************************************************************************************
1100 | Alias name: tuntrustrootca
1101 | Owner: CN=TunTrust Root CA, O=Agence Nationale de Certification Electronique, C=TN
1102 | Issuer: CN=TunTrust Root CA, O=Agence Nationale de Certification Electronique, C=TN
1103 | Valid from: Fri Apr 26 01:57:56 PDT 2019 until: Tue Apr 26 01:57:56 PDT 2044
1104 | Certificate fingerprints:
1105 | SHA1: CF:E9:70:84:0F:E0:73:0F:9D:F6:0C:7F:2C:4B:EE:20:46:34:9C:BB
1106 | SHA256: 2E:44:10:2A:B5:8C:B8:54:19:45:1C:8E:19:D9:AC:F3:66:2C:AF:BC:61:4B:6A:53:96:0A:30:F7:D0:E2:EB:41
1107 | **************************************************************************************
1108 | **************************************************************************************
1109 | Alias name: twcaglobalrootca
1110 | Owner: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
1111 | Issuer: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
1112 | Valid from: Tue Jun 26 23:28:33 PDT 2012 until: Tue Dec 31 07:59:59 PST 2030
1113 | Certificate fingerprints:
1114 | SHA1: 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
1115 | SHA256: 59:76:90:07:F7:68:5D:0F:CD:50:87:2F:9F:95:D5:75:5A:5B:2B:45:7D:81:F3:69:2B:61:0A:98:67:2F:0E:1B
1116 | **************************************************************************************
1117 | **************************************************************************************
1118 | Alias name: twcarootcertificationauthority
1119 | Owner: CN=TWCA Root Certification Authority, OU=Root CA, O=TAIWAN-CA, C=TW
1120 | Issuer: CN=TWCA Root Certification Authority, OU=Root CA, O=TAIWAN-CA, C=TW
1121 | Valid from: Thu Aug 28 00:24:33 PDT 2008 until: Tue Dec 31 07:59:59 PST 2030
1122 | Certificate fingerprints:
1123 | SHA1: CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48
1124 | SHA256: BF:D8:8F:E1:10:1C:41:AE:3E:80:1B:F8:BE:56:35:0E:E9:BA:D1:A6:B9:BD:51:5E:DC:5C:6D:5B:87:11:AC:44
1125 | **************************************************************************************
1126 | **************************************************************************************
1127 | Alias name: ucaextendedvalidationroot
1128 | Owner: CN=UCA Extended Validation Root, O=UniTrust, C=CN
1129 | Issuer: CN=UCA Extended Validation Root, O=UniTrust, C=CN
1130 | Valid from: Thu Mar 12 17:00:00 PDT 2015 until: Thu Dec 30 16:00:00 PST 2038
1131 | Certificate fingerprints:
1132 | SHA1: A3:A1:B0:6F:24:61:23:4A:E3:36:A5:C2:37:FC:A6:FF:DD:F0:D7:3A
1133 | SHA256: D4:3A:F9:B3:54:73:75:5C:96:84:FC:06:D7:D8:CB:70:EE:5C:28:E7:73:FB:29:4E:B4:1E:E7:17:22:92:4D:24
1134 | **************************************************************************************
1135 | **************************************************************************************
1136 | Alias name: ucaglobalg2root
1137 | Owner: CN=UCA Global G2 Root, O=UniTrust, C=CN
1138 | Issuer: CN=UCA Global G2 Root, O=UniTrust, C=CN
1139 | Valid from: Thu Mar 10 16:00:00 PST 2016 until: Sun Dec 30 16:00:00 PST 2040
1140 | Certificate fingerprints:
1141 | SHA1: 28:F9:78:16:19:7A:FF:18:25:18:AA:44:FE:C1:A0:CE:5C:B6:4C:8A
1142 | SHA256: 9B:EA:11:C9:76:FE:01:47:64:C1:BE:56:A6:F9:14:B5:A5:60:31:7A:BD:99:88:39:33:82:E5:16:1A:A0:49:3C
1143 | **************************************************************************************
1144 | **************************************************************************************
1145 | Alias name: usertrustecccertificationauthority
1146 | Owner: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
1147 | Issuer: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
1148 | Valid from: Sun Jan 31 16:00:00 PST 2010 until: Mon Jan 18 15:59:59 PST 2038
1149 | Certificate fingerprints:
1150 | SHA1: D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0
1151 | SHA256: 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
1152 | **************************************************************************************
1153 | **************************************************************************************
1154 | Alias name: usertrustrsacertificationauthority
1155 | Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
1156 | Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
1157 | Valid from: Sun Jan 31 16:00:00 PST 2010 until: Mon Jan 18 15:59:59 PST 2038
1158 | Certificate fingerprints:
1159 | SHA1: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
1160 | SHA256: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
1161 | **************************************************************************************
1162 | **************************************************************************************
1163 | Alias name: xrampglobalcaroot
1164 | Owner: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
1165 | Issuer: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
1166 | Valid from: Mon Nov 01 09:14:04 PST 2004 until: Sun Dec 31 21:37:19 PST 2034
1167 | Certificate fingerprints:
1168 | SHA1: B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
1169 | SHA256: CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2
1170 | **************************************************************************************
1171 | **************************************************************************************
--------------------------------------------------------------------------------
/XKS_arch_v8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-kms-xksproxy-api-spec/c79624ed2bebcae2bd6e6e0b109108ef4f608f16/XKS_arch_v8.png
--------------------------------------------------------------------------------
/xks_proxy_api_spec.md:
--------------------------------------------------------------------------------
1 |
5 | # Table of Contents
6 |
7 | - [External Key Store Proxy API Specification](#external-key-store-proxy-api-specification)
8 | - [Background](#background)
9 | - [High level architecture](#high-level-architecture)
10 | - [API content type](#api-content-type)
11 | - [API operations](#api-operations)
12 | - [GetKeyMetadata](#getkeymetadata)
13 | - [Encrypt](#encrypt)
14 | - [Decrypt](#decrypt)
15 | - [GetHealthStatus](#gethealthstatus)
16 | - [Error codes](#error-codes)
17 | - [Authentication](#authentication)
18 | - [SigV4 Credentials Rotation](#sigv4-credentials-rotation)
19 | - [Authorization](#authorization)
20 | - [Logging](#logging)
21 | - [Testing](#testing)
22 | - [Other considerations](#other-considerations)
23 | - [Load balancer health checks](#load-balancer-health-checks)
24 | - [XKS proxy configuration in AWS KMS console](#xks-proxy-configuration-in-aws-kms-console)
25 | - [Troubleshooting](#troubleshooting)
26 | - [Appendix A: Using SigV4 to sign XKS proxy requests](#appendix-a-using-sigv4-to-sign-xks-proxy-requests)
27 | - [Task 1: Create a canonical request](#task-1-create-a-canonical-request)
28 | - [Task 2: Create a string to sign](#task-2-create-a-string-to-sign)
29 | - [Task 3: Calculate the signature](#task-3-calculate-the-signature)
30 | - [Task 4: Match the signature](#task-4-match-the-signature)
31 | - [Appendix B: RequestMetadata fields](#appendix-b-requestmetadata-fields)
32 | - [Appendix C: Ciphertext Data Integrity Value (CDIV) implementation guidelines](#appendix-c-ciphertext-data-integrity-value-cdiv-implementation-guidelines)
33 | - [Appendix D: Using curl for XKS API calls](#appendix-d-using-curl-for-xks-api-calls)
34 | - [Appendix E: Change log](#appendix-e-change-log)
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 | # External Key Store Proxy API Specification
43 |
44 | *Last Updated: May 15, 2024*
45 |
46 | See [Appendix E](#appendix-e-change-log) for a history of the changes.
47 |
48 |
49 | ## Background
50 |
51 | **External Key Stores** is a new capability in AWS Key Management Service (AWS KMS) that allows customers to protect their data in AWS using cryptographic keys held inside on-premises Hardware Security Modules (HSMs) or other key managers outside of AWS. This integration mimics existing support for AWS CloudHSM within KMS except that the customer-controlled HSM resides outside of an AWS data center. This document uses the term *external key manager* to cover both external HSMs and external software-only key managers (aka virtual HSMs).
52 |
53 | AWS services typically do not use a KMS key directly for encrypting customer data. Instead, they generate data keys and use envelope encryption to protect customer data. The data keys are encrypted using a KMS key and kept next to the data they encrypt. The plaintext version of the data key is held in-memory by the integrated service only for a short period. Attempts to access encrypted customer data result in a decrypt API call to KMS to get the plaintext data key. When the key material for a KMS key is hosted in external key managers, cryptographic operations to unwrap/wrap the data key are performed in a customer-chosen datacenter outside AWS.
54 |
55 | The new capability is meant to support a variety of external key managers from different vendors. The architecture introduces a proxy, the External Key Store Proxy (aka XKS Proxy), whose primary purpose is to abstract away the API differences across various types of external key managers. The XKS Proxy presents KMS with a uniform API interface described in this document. KMS maintains a fleet of hosts, the XKS Proxy Management Fleet, that communicates with multiple instances of XKS Proxies. The rest of this document describes Version 1 of the XKS Proxy interface including message formats, authentication and authorization controls, error conditions and additional implementation guidance.
56 |
57 | KMS keys whose key material resides in an external key manager can be distinguished from other KMS keys by their *Origin* which is set to **EXTERNAL_KEY_STORE**.
58 |
59 | This document assumes familiarity with the [AWS KMS API](https://docs.aws.amazon.com/kms/latest/APIReference/API_Operations.html) and standard Base64 encoding as defined in [RFC 4687](https://www.rfc-editor.org/rfc/rfc4648#section-4).
60 |
61 | **Requirements Terminology**
62 |
63 | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119)
64 |
65 |
66 |
67 | ## High level architecture
68 |
69 |
70 | 
71 | **Figure 1**: High-level KMS architecture with its main components for External Key Store (XKS) support.
72 |
73 | Figure 1 shows the high-level architecture for external key store support in AWS KMS. The XKS Proxy abstracts away API differences across multiple types of external key managers and provides a uniform HTTPS-based API for invoking cryptographic operations involving external keys. This standardized interface is indicated by the thick, vertical, dashed lines in Figure 1. Everything to the right of the interface is the customer’s responsibility, everything to the left and inside the AWS boundary is the responsibility of AWS.
74 |
75 | Each type of key manager will require a corresponding XKS Proxy but a single XKS Proxy instance can serve a cluster of key managers.
76 |
77 | We support two connectivity options for the communication between KMS and the XKS Proxy:
78 |
79 | 1. XKS Proxy as a [VPC Endpoint Service](https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service-overview.html) in the Customer’s Amazon VPC: With this option, customers can run the XKS Proxy on a private network (i.e. one using RFC 1918 private addresses). The proxy may be located in the customer's data center (as shown for Customer A) or in an Amazon VPC (as shown for Customer B). In each case, customers will need to create an NLB and a VPC endpoint service in their Amazon VPC. The target group associated with the NLB will use private IP addresses associated with the XKS proxy. Customers will also need to connect their Amazon VPC to their on-premises data center using any of the available mechanisms such as a VPN or Direct Connect.
80 | 2. XKS Proxy as a public endpoint: Customers can choose to make the proxy available as a publicly routable endpoint (as shown for Customer C) in their data center. This is the simpler connectivity option but it will experience greater variance in network performance since all traffic is going over the Internet. Request authentication restricts access to the proxy. Customers might choose this option when they are evaluating the external key store feature and switch to the VPC endpoint service connectivity option for production use.
81 |
82 | The following is a brief description of the main entities/components referenced in Figure 1:
83 |
84 | * AWS Customer: Calls KMS APIs either directly or via another AWS service that integrates with KMS, such as S3.
85 | * KMS front-end fleet: Front-end service in KMS responsible for authenticating and authorizing requests, processing API input parameters and assembling the final response for the caller. All requests to AWS KMS arrive at the KMS front-end fleet. Those involving a KMS Key in an external key store (identified by a special value of `EXTERNAL_KEY_STORE` in the Origin metadata field) are routed to the XKS Proxy Management Fleet.
86 | * XKS Proxy Management Fleet: A fleet of hosts inside KMS that manage interaction with external key managers via the XKS Proxies. This fleet bridges any gaps in the response produced by the XKS Proxy and what the KMS front-end fleet expects. For example, we do not expose the proprietary format of the ciphertext blob to the XKS Proxy and instead assemble that blob in this fleet from the individual components (authentication tag, IV and ciphertext) returned by the encrypt API call to an XKS Proxy.
87 | * XKS Proxy: Customers may wish to connect a large variety of external key managers to AWS KMS each speaking a different API flavor (such as web-based, a vendor specific PKCS11 variant, or KMIP). The main purpose of the XKS proxy is to normalize these differences and present KMS with a uniform API for interacting with external key managers. We’ve identified a small set of four APIs — GetKeyMetadata, Encrypt, Decrypt and GetHealthStatus that can be used as building blocks to implement all of the KMS APIs we wish to support at launch for keys in external key stores. Any key manager can be used with the External Key Store feature in KMS by creating an XKS Proxy that implements the four APIs described in this specification.
88 | * Customer’s HSM/External HSM/External Key Manager: A customer HSM (or HSM cluster) or virtual HSM residing in their data center.
89 |
90 |
91 |
92 | ## API content type
93 |
94 | All requests and responses between the XKS Proxy Management Fleet and the XKS Proxy MUST be sent as JSON over HTTPS with a Content-Type of `application/json`. The XKS Proxy MUST support HTTP/1.1 or later and TLS 1.2 or later with at least one of these cipher suites: `TLS_AES_256_GCM_SHA384` (TLS 1.3), `TLS_CHACHA20_POLY1305_SHA256` (TLS 1.3), `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` (TLS 1.2), `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` (TLS 1.2). The XKS proxy MUST be able to fall back to HTTP 1.1.
95 |
96 | ## API operations
97 |
98 | A majority of the AWS services that integrate with KMS do so using 256-bit AES keys. For that reason, Version 1 of the XKS Proxy interface does not support asymmetric keys or symmetric keys with a length other than 256-bits, i.e. only SYMMETRIC_DEFAULT KMS keys are supported in version 1.
99 |
100 | The following API operations MUST be supported:
101 |
102 | * GetKeyMetadata:
103 | Gets metadata for a key in the external key manager, e.g. its type, usage and status
104 | * Encrypt:
105 | Performs an AES-GCM encryption on the specified plaintext
106 | * Decrypt:
107 | Performs an AES-GCM decryption on the specified ciphertext
108 | * GetHealthStatus:
109 | Checks if the external key manager is reachable and available to perform cryptographic operations.
110 |
111 |
112 | The requests and responses for these APIs are sent as JSON objects over HTTPS. Every API request sent from KMS to the XKS Proxy includes meta data that provides additional context for the request, e.g. the AWS Principal making a KMS API call that resulted in the XKS Proxy API call or the KMS key involved in the KMS API. These elements are grouped together in the requestMetadata object within the request body (details below). Information included as part of requestMetadata is helpful for auditing and for implementing optional authorization at the XKS Proxy (see [Authorization](#authorization)). Several of the fields in requestMetadata are AWS Resource Names (ARNs). The XKS Proxy MUST support ARN lengths of up to [2048](https://docs.aws.amazon.com/IAM/latest/APIReference/API_Policy.html) characters.
113 |
114 | Since each XKS Proxy API request includes requestMetadata, all requests are sent as HTTP POSTs (not GETs) following the recommendation in [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231#page-24) which states:
115 |
116 |
117 | >A payload within a GET request message has no defined semantics; sending a payload body on a GET request might cause some existing implementations to reject the request.
118 |
119 |
120 | If the XKS Proxy receives an HTTP GET request at a URI associated with any of these four APIs, it MUST reject the request with a 405 Method Not Allowed error.
121 |
122 | The XKS Proxy API specification does not include any APIs that create or destroy keys in an external key manager, or change the metadata associated with those keys. Before calling the KMS **CreateKey API**, one must already have a key in the external key manager. The CreateKey API call to create a KMS key in an external key manager does not create key material in an external key manager, it only establishes an association between a “shell” key in KMS and an external key. The identifier of the external key is an input parameter to the CreateKey API and is stored as metadata associated with the KMS key.
123 |
124 | The URIs used in the XKS Proxy API calls start with something that looks like
125 |
126 | https://\[/\]/kms/xks/v1
127 |
128 | where the parts within angle brackets will vary. Portions of the URL shown within square brackets are optional. This URI prefix is configured into KMS as part of the `CreateCustomKeyStore` API when a customer sets up an external key manager for use with KMS. The part `https://` is specified directly via the `XksProxyUriEndpoint` parameter and the `XksProxyUriPath` parameter specifies `[/]/kms/xks/v1`. The total length of the `XksProxyUriPath` MUST NOT exceed 128 characters and MUST NOT include any characters other than a through z, A through Z, 0 through 9, slash (/), dash (-) and underscore (\_). The `` provides a mechanism to support multiple isolated customers on the same XKS proxy. An XKS proxy MAY implement independent request quotas on each path prefix and respond with a ThrottlingException (see [Error Codes](#error-codes)) if that quota is exceeded.
129 |
130 | The XKS APIs involving an external key (encrypt, decrypt, getKeyMetadata) use URIs of the form
131 |
132 | https://\[/\]/kms/xks/v1/keys/\/\
133 |
134 | The **``** MUST be a fully qualified domain name (rather than an IP address) and the total URI length MUST NOT exceed 256 characters. The **`externalKeyId`** identifies a key in the external key manager and must be unique within the scope of an XKS Proxy endpoint. Each KMS key must be associated with a different external key, i.e. two different KMS keys created in the same external key store (identified by the XKS Proxy endpoint) MUST NOT have the same **`externalKeyId`**. If you try to create a KMS key with an **`externalKeyId`** that is already associated with an existing KMS key, the CreateKey request will fail.
135 |
136 | The encoding of **`externalKeyId`** is opaque to AWS KMS. The only requirements are: (i) the XKS Proxy MUST be able to identify an external key unambiguously from its **`externalKeyId`**, (ii) the length of an **`externalKeyId`** MUST NOT exceed 128 characters and they MUST be restricted to the following set: uppercase or lowercase letters A through Z, the digits 0 through 9, the hyphen, the period and the underscore.
137 |
138 |
139 |
140 |
141 | ### GetKeyMetadata
142 |
143 | This API fetches metadata associated with the external key including its type, supported cryptographic operations and status.
144 |
145 | **HTTP Method:** POST
146 |
147 | **URI:** https://\[/\]/kms/xks/v1/keys/\/metadata
148 |
149 | **Request Payload Parameters:**
150 | The HTTP body of the request contains requestMetadata fields that provide additional context on the request being made. This information is helpful for auditing and for implementing an optional secondary layer of authorization at the XKS Proxy (see a later section on [Authorization](#authorization)). There is no expectation for the XKS Proxy to validate any information included in the requestMetadata beyond validating the signature that covers the entire request payload.
151 |
152 | 1. **requestMetadata** - Nested structure which contains request metadata.
153 | 1. **awsPrincipalArn** - This is the ARN of the principal that invoked KMS CreateKey (see [aws:PrincipalArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn)). When the caller is another AWS service, this field will contain either the service principal ending in amazonaws.com, such as [ec2.amazonaws.com](http://ec2.amazonaws.com/) or “AWS Internal”. This field is REQUIRED.
154 | 2. **awsSourceVpc** - This field is OPTIONAL. It is present if and only if the KMS API request was made using a VPC endpoint. When present, this field indicates the VPC where the request originated (see [aws:SourceVpc](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc)).
155 | 3. **awsSourceVpce** - This field is OPTIONAL. It is present if and only if the KMS API request was made using a VPC endpoint. When present, this field indicates the VPC endpoint used for the request (see [aws:SourceVpce](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce))
156 | 4. **kmsOperation** - This is the KMS API call that resulted in the XKS Proxy API request, e.g. CreateKey can result in a GetKeyMetadata call. This field is REQUIRED. The XKS Proxy MUST NOT reject a request as invalid if it sees a kmsOperation other than those listed for this API call. In the future, KMS may introduce a new API that can be satisfied by calling one of the XKS APIs listed in this document. For proxies that implement [secondary authorization](#authorization), it is acceptable for XKS API requests made as part of the new KMS API to fail authorization. It is easier for a customer to update their XKS Proxy authorization policy than to update their XKS Proxy software.
157 | 5. **kmsRequestId** - This is the requestId of the call made to KMS which is visible in AWS CloudTrail. The XKS proxy SHOULD log this field to allow a customer to correlate AWS CloudTrail entries with log entries in the XKS Proxy. This field typically follows the format for [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier)s but the XKS Proxy MUST treat this as an opaque string and MUST NOT perform any validation on its structure. This field is REQUIRED.
158 |
159 | **NOTE**: The kmsKeyArn includes the Region in which the KMS request was made and the account that owns the resource. The awsPrincipalArn includes the account of the caller. The XKS Proxy can also use the Region and account (both key owner and caller) fields in its authorization decision.
160 |
161 |
162 |
163 | **Request Payload Syntax:**
164 |
165 | ```
166 | {
167 | "requestMetadata": {
168 | "awsPrincipalArn": string,
169 | "awsSourceVpc": string, // optional
170 | "awsSourceVpce": string, // optional
171 | "kmsOperation": string,
172 | "kmsRequestId": string
173 | }
174 | }
175 | ```
176 |
177 | **Request Payload Example:**
178 |
179 | ```
180 | {
181 | "requestMetadata": {
182 | "awsPrincipalArn": "arn:aws:iam::123456789012:user/Alice",
183 | "kmsOperation": "CreateKey",
184 | "kmsRequestId": "4112f4d6-db54-4af4-ae30-c55a22a8dfae"
185 | }
186 | }
187 | ```
188 |
189 | **Response Payload Parameters:**
190 | The following attributes MUST be present in response payload:
191 |
192 | 1. **keySpec** - Specifies the type of external key. This field is REQUIRED. The XKS Proxy must use the string `AES_256` to indicate a 256-bit AES key.
193 | 2. **keyUsage** - Specifies an array of cryptographic operations for which external key can be used. This field is REQUIRED. The XKS Proxy must use the strings `ENCRYPT` and `DECRYPT` (all uppercase) to indicate when an external key supports encrypt and decrypt operations, respectively. The XKS Proxy response MAY include additional values supported by that external key, e.g. PKCS11-based HSMs additionally support DERIVE, SIGN, VERIFY, WRAP, UNWRAP. The response MUST NOT contain more than ten keyUsage values.
194 | 3. **keyStatus** - Specifies the state of the external key. The supported values are `ENABLED` and `DISABLED`. This field is REQUIRED. If neither the external key manager nor the XKS Proxy support disabling individual keys, the XKS Proxy MUST return ENABLED for this field.
195 |
196 |
197 | **Success Response Code:** 200 (for errors, see [Error Codes](#error-codes))
198 |
199 | **Response Payload Syntax:**
200 |
201 | ```
202 | {
203 | "keySpec": string,
204 | "keyUsage": array of strings,
205 | "keyStatus": string
206 | }
207 | ```
208 |
209 | **Response Payload Example:**
210 |
211 | ```
212 | {
213 | "keySpec": "AES_256",
214 | "keyUsage": ["ENCRYPT", "DECRYPT"],
215 | "keyStatus": "ENABLED"
216 | }
217 | ```
218 |
219 |
220 |
221 | **KMS Considerations:**
222 |
223 | KMS invokes the XKS Proxy’s GetKeyMetadata API when a customer calls the KMS CreateKey API for a KMS key in an external key store.
224 |
225 | Version 1 of this specification only supports creation of AES keys within KMS. When KMS calls GetKeyMetadata as part of a KMS CreateKey call, it will look for specific values in the GetKeyMetadata response. Invocation of the KMS CreateKey API will fail if any one (or more) of the following is true:
226 |
227 | * keySpec is not `AES_256`
228 | * keyUsage is missing `ENCRYPT` or `DECRYPT` (or both)
229 | * keyStatus is not `ENABLED`
230 |
231 |
232 | When GetKeyMetadata is called as part of a KMS DescribeKey call, the keyStatus and keyUsage fields will be included in the response as part of [key metadata](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_ResponseSyntax).
233 |
234 | The key state of a KMS key is distinct from the status of the underlying external key and the output of the KMS DescribeKey API includes both pieces of information. Calling the KMS EnableKey or DisableKey API will only change the KMS key state, not the status of the underlying key in the external key manager. The key status in the external key manager MUST be managed by using its native API.
235 |
236 | KMS Encrypt or Decrypt API calls on KMS keys in external key stores will only succeed if the KMS key state is ENABLED and the status of the key in external key manager is also ENABLED.
237 |
238 | If KMS does not receive a response from the XKS proxy for any API call within 250ms, KMS will time out and the corresponding KMS API call will fail. Since the interaction between KMS and an XKS proxy may involve multiple round trips (one each for TCP connection, TLS handshake and HTTP request/response), we recommend placing the external key manager as close as possible to the AWS data center hosting KMS, i.e. the ping latency between the AWS data center and the customer's data center SHOULD be 35ms or less.
239 |
240 |
241 |
242 | ### Encrypt
243 |
244 | KMS uses this API to encrypt data using a key in an external key manager.
245 |
246 | **HTTP Method:** POST
247 |
248 | **URI:** https://\[/\]/kms/xks/v1/keys/\/encrypt
249 |
250 | **Request Payload Parameters:**
251 | The HTTP body of the request contains requestMetadata along with input parameters for the encrypt operation.
252 |
253 | 1. **requestMetadata** - Nested structure that contains request metadata.
254 | 1. **awsPrincipalArn** - This is the ARN of the principal that invoked KMS Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext or ReEncrypt API. When the caller is another AWS service, this field will contain either the service principal ending in amazonaws.com, such as [ec2.amazonaws.com](http://ec2.amazonaws.com/) or “AWS Internal”. This field is REQUIRED.
255 | 2. **awsSourceVpc** - This field is OPTIONAL. It is present if and only if the KMS API request was made using a VPC endpoint, and the caller is the same as the KMS key owner. When present, this field indicates the VPC where the request originated (see [aws:SourceVpc](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc)).
256 | 3. **awsSourceVpce** - This field is OPTIONAL. It is present if and only if the KMS API request was made using a VPC endpoint, and the caller is the same as the KMS key owner. When present, this field indicates the VPC endpoint used for the request (see [aws:SourceVpce](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce))
257 | 4. **kmsKeyArn** - This is the ARN of the KMS Key on which the Encrypt, ReEncrypt, GenerateDataKey or GenerateDataKeyWithoutPlaintext API was invoked. This field is REQUIRED.
258 | 5. **kmsOperation** - This is the KMS API call that resulted in the XKS Proxy API request, e.g. any one of four KMS APIs (Encrypt, ReEncrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext) can result in an Encrypt call. This field is REQUIRED. The XKS Proxy MUST NOT reject a request as invalid if it sees a kmsOperation other than those listed for this API call. In the future, KMS may introduce a new API (BulkEncrypt, say) that can be satisfied by calling one of the XKS APIs listed in this document. For proxies that implement [secondary authorization](#authorization), it is acceptable for XKS API requests made as part of the new KMS API to fail authorization. It is easier for a customer to update their XKS Proxy authorization policy than to update their XKS Proxy software.
259 | 6. **kmsRequestId** - This is the requestId of the call made to KMS that is visible in AWS CloudTrail. The XKS proxy SHOULD log this field to allow a customer to correlate AWS CloudTrail entries with log entries in the XKS Proxy. This field typically follows the format for [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier)s but the XKS Proxy MUST treat this as an opaque string and MUST NOT perform any validation on its structure. This field is REQUIRED.
260 | 7. **kmsViaService** - This field is OPTIONAL. If present, it indicates the AWS service that called the KMS API on behalf of a customer (see [kms:ViaService](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service))
261 | 2. **plaintext** - Base64-encoded plaintext provided to external key manager for encryption. The proxy MUST support the ability to process up to 4300 bytes of plaintext data. Note that Base64 encoding of 4300 bytes of binary data will result in a string that is 5736 bytes. Plaintext passed to the encrypt API MUST NOT be logged at XKS Proxy or the external key manager. This field is REQUIRED.
262 | 3. **encryptionAlgorithm** - Specifies the algorithm that will be used for encryption. For the `v1` specification, this MUST be `AES_GCM`. This field is REQUIRED.
263 | 4. **additionalAuthenticatedData** (AAD) - AES-GCM is an example of an [AEAD](https://en.wikipedia.org/wiki/Authenticated_encryption) (Authenticated Encryption with Additional Data) cipher for which the encrypt operation produces an authenticationTag in addition to the ciphertext. The authenticationTag can be used to ensure the integrity of the ciphertext and additional data passed as AAD. For a decrypt call to succeed, the same AAD that was used to create the ciphertext must be supplied to the decrypt operation. This field is OPTIONAL. When present, this field MUST be specified as a Base64 encoded string and used as the Additional Authenticated Data ([AAD](https://docs.aws.amazon.com/crypto/latest/userguide/cryptography-concepts.html#term-aad)) input to the AES-GCM operation inside the external key manager. The XKS Proxy MUST be able to handle AAD values up to 8192 bytes in length (the Base64 encoding of 8192 bytes will be 10924 bytes).
264 | 5. **ciphertextDataIntegrityValueAlgorithm** (CDIV Algorithm) - Indicates the hashing algorithm to be used in the
265 | computation of the Ciphertext Data Integrity Value (CDIV). For the first version (v1) of this specification, this MUST be "SHA_256". This field is OPTIONAL. When present, the XKS Proxy MUST return a ciphertextDataIntegrityValue field in its response as described below.
266 |
267 |
268 |
269 | **Request Payload Syntax:**
270 |
271 | ```
272 | {
273 | "requestMetadata": {
274 | "awsPrincipalArn": string,
275 | "awsSourceVpc": string, // optional
276 | "awsSourceVpce": string, // optional
277 | "kmsKeyArn": string,
278 | "kmsOperation": string,
279 | "kmsRequestId": string,
280 | "kmsViaService": string // optional
281 | },
282 | "additionalAuthenticatedData": string (Base64 encoded), // optional
283 | "plaintext": string (Base64 encoded),
284 | "encryptionAlgorithm": string,
285 | "ciphertextDataIntegrityValueAlgorithm": string // optional
286 | }
287 | ```
288 |
289 | **Request Payload Example:**
290 | In this example, the plaintext is a Base64 encoding of “`Hello World!`” and the additionalAuthenticationData is the Base64 encoding of "`project=nile,department=marketing`"
291 |
292 | ```
293 | {
294 | "requestMetadata": {
295 | "awsPrincipalArn": "arn:aws:iam::123456789012:user/Alice",
296 | "kmsKeyArn": "arn:aws:kms:us-east-2:123456789012:/key/1234abcd-12ab-34cd-56ef-1234567890ab",
297 | "kmsOperation": "Encrypt",
298 | "kmsRequestId": "4112f4d6-db54-4af4-ae30-c55a22a8dfae",
299 | "kmsViaService": "ebs"
300 | },
301 | "additionalAuthenticatedData": "cHJvamVjdD1uaWxlLGRlcGFydG1lbnQ9bWFya2V0aW5n",
302 | "plaintext": "SGVsbG8gV29ybGQh",
303 | "encryptionAlgorithm": "AES_GCM",
304 | "ciphertextDataIntegrityValueAlgorithm": "SHA_256"
305 | }
306 | ```
307 |
308 | **Response Payload Parameters:**
309 | The ciphertext, initializationVector and authenticationTag fields MUST be present in response payload. The
310 | ciphertextDataIntegrityValue field MUST be included whenever the request includes
311 | the ciphertextDataIntegrityValueAlgorithm field.
312 |
313 | 1. **ciphertext** - Base64 encoded ciphertext generated by the external key manager from provided plaintext. Since `AES_GCM` is a stream cipher, the length of the ciphertext MUST be the same as the length of the plaintext.
314 | 2. **ciphertextMetadata:** The XKS Proxy MAY return up to 20 bytes of ciphertext metadata for internal housekeeping, e.g. an external key manager may implement automatic key rotation and use the extra bytes to encode versioning of the key material. This is an OPTIONAL, vendor-specific field. When present, the size of the field MUST NOT exceed 20 bytes and the value MUST be Base64-encoded (the encoded string will be more than 20 bytes). The XKS Proxy MUST append the `ciphertextMetadata` to the `additionalAuthenticatedData` before normal AES GCM processing to ensure that integrity protection offered by the `authenticationTag` extends to the `ciphertextMetadata`.
315 | NOTE: It is important to explicitly include the length of `additionalAuthenitcatedData` and the length of the `ciphertextMetadata` to avoid unintended successful decrypts, e.g. when a caller calls encrypt with no `additionalAuthenticatedData`, receives a `ciphertextMetadata` in the response and then calls decrypt passing the `ciphertextMetadata` as `additionalAuthenticatedData` and no `ciphertextMetadata`. The AAD input for the external key manager should be computed as (2-byte length, before Base64 encoding, of `additionalAuthenticatedData` in big-endian format || `additionalAuthenticatedData` || 1-byte length, before Base64 encoding, of `ciphertextMetadata` || `ciphertextMetadata`) where || represents concatenation of the binary values before Base64 encoding. If the `additionalAuthenticatedData` or `ciphertextMetadata` is not present, the corresponding length MUST be set to zero. If the inclusion of the lengths represents a departure from previously implemented behavior, the XKS proxy SHOULD encode the new behavior in the `ciphertextMetadata` and use the encoding to follow the same behavior during decrypt as was used for the corresponding encrypt. Otherwise, previously generated ciphertext will no longer be decryptable. For example, let's say version A of an XKS proxy concatenated the `ciphertextMetdata` directly to `additionalAuthenticatedData` (without including the lengths) but Version B implements new guidance then there needs to be a mechanism to distinguish whether a decrypt call should use the old way or the new way to create the AAD for the external key manager. If Version B always implements the new behavior then ciphertext created by Version A will no longer be decryptable. The `ciphertextMetadata` is the natural place to encode this difference in how the `authenticationTag` was created.
316 | 3. **initializationVector** - Base64 encoded initialization vector generated by the external key manager that was used during encrypt operation. The initialization vector MUST be either 12 bytes (96 bits) or 16 bytes (128 bits). The Base64 encoding will have 16 bytes or 24 bytes.
317 | 4. **authenticationTag** - Base64 encoded message authentication code generated by external key manager performing AES-GCM encryption. Authentication tag size MUST be 16 bytes (128 bits). Some key managers append the authentication tag to the ciphertext. In such cases, the XKS proxy MUST separate the two before composing the response.
318 | 5. **ciphertextDataIntegrityValue** - This field is a Base64 encoded hash computed over the \
319 | `additionalAuthenticatedData` (if present in the request), `ciphertextMetadata` (if present), \
320 | `initializationVector`, `ciphertext` and `authenticationTag` fields in the response. It MUST be included whenever the request includes the `ciphertextDataIntegrityValueAlgorithm` field. The hashing algorithm used to compute this value MUST be the one specified as the `ciphertextDataIntegrityValueAlgorithm` in the request. KMS will independently calculate the `ciphertextDataIntegrityValue` (CDIV) and return an error to the caller if the computed value does not match the value in the response. KMS interprets a match as assurance from the XKS Proxy that a subsequent decrypt call where the caller passes in the same `additionalAuthenticatedData` (if present, in the encrypt request), `initializationVector`, `ciphertext` and `authenticationTag` values will succeed and return the plaintext that was passed as input to this encrypt API. See [Appendix C](#appendix-c-ciphertext-data-integrity-value-cdiv-implementation-guidelines) for a complete example and specific CDIV implementation guidelines.
321 |
322 |
323 | **Required Attributes:** ALL except **ciphertextMetadata** and **ciphertextDataIntegrityValue**
324 |
325 | **Success Response Code:** 200 (for errors, see [Error Codes](#error-codes))
326 |
327 |
328 | **Response Payload Syntax:**
329 |
330 | ```
331 | {
332 | "ciphertext": string (Base64 encoded),
333 | "ciphertextMetadata": string (Base64 encoded), // Optional
334 | "initializationVector": string (Base64 encoded),
335 | "authenticationTag": string (Base64 encoded),
336 | "ciphertextDataIntegrityValue": string (Base64 encoded) // Optional
337 | }
338 | ```
339 |
340 | **Response Payload Example:**
341 |
342 | Refer to [Appendix C](#appendix-c-ciphertext-data-integrity-value-cdiv-implementation-guidelines) for the CDIV computation.
343 |
344 | ```
345 | {
346 | "authenticationTag": "vBxN2ncH1oEkR8WVXpmyYQ==",
347 | "ciphertext": "ghxkK1txeDNn3q8Y",
348 | "ciphertextDataIntegrityValue": "qHA/ImC9h5HsLRXqCyPmWgYx7tzyoTplzILbP0fPXsc=",
349 | "ciphertextMetadata": "a2V5X3ZlcnNpb249MQ==",
350 | "initializationVector": "HMrlRw85cAJUd5Ax"
351 | }
352 | ```
353 |
354 | **KMS Considerations:**
355 |
356 | The XKS Proxy’s encrypt API is invoked if a customer calls any of the following KMS APIs on a KMS key in an extrenal key store: Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncrypt (when the target key id is a KMS key in an external key store).
357 |
358 | If the size of the ciphertext Metadata exceeds 20 bytes, KMS will reject the response from the XKS Proxy and return an error to the caller of the KMS API.
359 |
360 | KMS will embed all of the fields in the XKS Proxy’s encrypt response into the ciphertextBlob it returns to the caller.
361 |
362 | If KMS does not receive a response from the XKS proxy for any API call within 250ms, KMS will time out and the corresponding KMS API call will fail.
363 |
364 | When a KMS caller requests a data key by calling the GenerateDataKey or GenerateDataKeyWithoutPlaintext API, KMS
365 | generates the data key and invokes the XKS Proxy’s encrypt API to wrap that data key. Any corruption of the
366 | encrypted data key has the potential to make everything encrypted by that data key unreadable. The CDIV
367 | provides additional assurance about the correctness of the encrypted data key to a KMS caller before it saves
368 | the encrypted data key and destroys its plaintext version. For this reason, it is important to follow the
369 | implementation guidelines described in [Appendix C](#appendix-c-ciphertext-data-integrity-value-cdiv-implementation-guidelines).
370 |
371 |
372 |
373 | ### Decrypt
374 |
375 | This API is used by KMS to decrypt data using a key which resides within an external key manager.
376 |
377 | **HTTP Method:** POST
378 |
379 | **URI:** https://\[/\]/kms/xks/v1/keys/\/decrypt
380 |
381 | **Request Payload Parameters:**
382 | The HTTP body of the request contains requestMetadata along with input parameters for the decrypt operation.
383 |
384 | 1. **requestMetadata** - Nested structure which contains request metadata.
385 | 1. **awsPrincipalArn** - This is the ARN of the principal that invoked the KMS Decrypt or ReEncrypt API. When the caller is another AWS service, this field will contain either the service principal ending in amazonaws.com, such as [ec2.amazonaws.com](http://ec2.amazonaws.com/) or “AWS Internal”. This field is REQUIRED.
386 | 2. **awsSourceVpc** - This field is OPTIONAL. It is present if and only if the KMS API request was made using a VPC endpoint, and the caller is the same as the KMS key owner. When present, this field indicates the VPC where the request originated (see [aws:SourceVpc](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc)).
387 | 3. **awsSourceVpce** - This field is OPTIONAL. It is present if and only if the KMS API request was made using a VPC endpoint, and the caller is the same as the KMS key owner. When present, this field indicates the VPC endpoint used for the request (see [aws:SourceVpce](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce))
388 | 4. **kmsKeyArn** - This is the ARN of the KMS Key on which the Decrypt API was invoked. This field is REQUIRED.
389 | 5. **kmsOperation** - This is the KMS API call (either Decrypt or ReEncrypt) that resulted in the XKS Proxy API request. This field is REQUIRED. In the future, The XKS Proxy MUST NOT reject a request as invalid if it sees a kmsOperation other than those listed for this API call. KMS may introduce a new API (BulkDecrypt, say) that can be satisfied by calling one of the XKS APIs listed in this document. For proxies that implement [secondary authorization](#authorization), it is acceptable for XKS API requests made as part of the new KMS API to fail authorization. It is easier for a customer to update their XKS Proxy authorization policy than to update their XKS Proxy software.
390 | 6. **kmsRequestId** - This is the requestId of the call made to KMS which is visible in AWS CloudTrail. The XKS proxy SHOULD log this field to allow a customer to correlate AWS CloudTrail entries with log entries in the XKS Proxy. This field typically follows the format for [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier)s but the XKS Proxy MUST treat this as an opaque string and MUST NOT perform any validation on its structure. This field is REQUIRED.
391 | 7. **kmsViaService** - This field is OPTIONAL. If present, it indicates the AWS service that called the KMS API on behalf of a customer (see [kms:ViaService](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service))
392 | 2. **ciphertext** - Base64 encoded ciphertext provided to an external key manager for decryption. At a minimum, the proxy MUST support the ability to process 4300 bytes of ciphertext. Note the Base64 encoded string corresponding to 4300 bytes of binary data will be 5736 bytes long. This field is REQUIRED.
393 | 3. **ciphertextMetadata:** Base64 encoded `ciphertextMetadata` that was included with the ciphertext in the output of the encrypt call that produced the ciphertext being decrypted. This is an OPTIONAL, vendor-specific field. When present, the size of the field MUST NOT exceed 20 bytes (before Base64 encoding). The XKS Proxy MUST detect when the `ciphertextMetadata` passed to decrypt has been modified relative to the `ciphertextMetadata` generated during the corresponding encrypt. Appending the `ciphertextMetadata` to the `additionalAuthenticatedData` and using that as the AAD for the external key manager, as described in the Encrypt API, will automatically accomplish this.
394 | 4. **encryptionAlgorithm** - Specifies the algorithm that was used for encryption. In `v1` specification, this will always be `AES_GCM`. This field is REQUIRED.
395 | 5. **additionalAuthenticatedData** (AAD) - AES-GCM is an example of an [AEAD](https://en.wikipedia.org/wiki/Authenticated_encryption) (Authenticated Encryption with Additional Data) cipher for which the encrypt operation produces an authenticationTag in addition to the ciphertext. The authenticationTag can be used to ensure the integrity of the ciphertext and additional data passed as AAD. For a decrypt call to succeed, the same AAD that was used to create the ciphertext must be supplied to the decrypt operation. This field is OPTIONAL. When present, this field MUST be specified as a Base64 encoded string and used as the Additional Authenticated Data ([AAD](https://docs.aws.amazon.com/crypto/latest/userguide/cryptography-concepts.html#term-aad)) input to the AES-GCM operation inside the external key manager. The XKS Proxy MUST be able to handle AAD values up to 8192 bytes in length (the Base64 encoding of 8192 bytes will be 10924 bytes).
396 | 6. **initializationVector** - Base64 encoded initialization vector generated by the external key manager that was used during encrypt operation. For a decrypt call to succeed, this must be the same IV that was generated when the ciphertext was created. This field is REQUIRED. For `AES_GCM`, the length of the initializationVector MUST be 12 bytes or 16 bytes (the Base64 encoding will have 16 bytes or 24 bytes).
397 | 7. **authenticationTag** - Base64 encoded message authentication code. Authentication tag size MUST be 16 bytes (the Base64 encoding will have 24 bytes). For a decrypt call to succeed, this must be the same tag that was generated by the encrypt call when the ciphertext was created. This field is REQUIRED.
398 |
399 |
400 | **Request Payload Syntax:**
401 |
402 | ```
403 | {
404 | "requestMetadata": {
405 | "awsPrincipalArn": string,
406 | "awsSourceVpc": string, // optional
407 | "awsSourceVpce": string, // optional
408 | "kmsKeyArn": string,
409 | "kmsOperation": string,
410 | "kmsRequestId": string,
411 | "kmsViaService": string // optional
412 | },
413 | "ciphertext": string (Base64 encoded),
414 | "ciphertextMetadata": string (Base64 encoded), // optional
415 | "encryptionAlgorithm": string,
416 | "additionalAuthenticatedData": string (Base64 encoded), // optional
417 | "authenticationTag": string (Base64 encoded),
418 | "initializationVector": string (Base64 encoded)
419 | }
420 | ```
421 |
422 | **Request Payload Example:**
423 |
424 | ```
425 | {
426 | "requestMetadata": {
427 | "awsPrincipalArn": "arn:aws:iam::123456789012:user/Alice",
428 | "kmsKeyArn": "arn:aws:kms:us-east-2:123456789012:/key/1234abcd-12ab-34cd-56ef-1234567890ab",
429 | "kmsOperation": "Decrypt",
430 | "kmsRequestId": "5112f4d6-db54-4af4-ae30-c55a22a8dfae",
431 | "kmsViaService": "ebs"
432 | },
433 | "additionalAuthenticatedData": "cHJvamVjdD1uaWxlLGRlcGFydG1lbnQ9bWFya2V0aW5n",
434 | "encryptionAlgorithm": "AES_GCM",
435 | "ciphertext": "ghxkK1txeDNn3q8Y",
436 | "ciphertextMetadata": "a2V5X3ZlcnNpb249MQ==",
437 | "initializationVector": "HMrlRw85cAJUd5Ax",
438 | "authenticationTag": "vBxN2ncH1oEkR8WVXpmyYQ=="
439 | }
440 | ```
441 |
442 | **Response Payload Parameters:**
443 |
444 | The following attributes MUST be present in request payload:
445 |
446 | 1. **plaintext** - Base64 encoded plaintext generated by an external key manager from decrypting the provided ciphertext. The size of the plaintext MUST be the same as the size of the ciphertext. Plaintext returned by the decrypt API MUST NOT be logged at XKS Proxy or the external key manager.
447 |
448 |
449 | **Required Attributes:** ALL
450 |
451 | **Success Response Code:** 200 (for errors, see [Error Codes](#error-codes))
452 |
453 | **Response Payload Syntax:**
454 |
455 | ```
456 | {
457 | "plaintext": string (Base64 encoded)
458 | }
459 | ```
460 |
461 | **Response Payload Example:**
462 |
463 | ```
464 | {
465 | "plaintext": "SGVsbG8gV29ybGQh"
466 | }
467 | ```
468 |
469 | **KMS Considerations:**
470 |
471 | The XKS Proxy’s decrypt API is invoked if a customer calls any of the following KMS APIs on a KMS key in an extrenal key store: Decrypt, ReEncrypt (when the source key id is a KMS key in an external key store).
472 |
473 | KMS will parse the ciphertextblob passed as input to the KMS API to extract the ciphertext, (optional) `ciphertextMetadata`, `initializationVector` and `authenticationTag` and pass as input to the XKS Proxy’s decrypt call.
474 |
475 | If KMS does not receive a response from the XKS proxy for any API call within 250ms, KMS will time out and the corresponding KMS API call will fail.
476 |
477 |
478 |
479 | ### GetHealthStatus
480 |
481 | This API serves multiple purposes
482 |
483 | * It is used to ensure that the XKS Proxy base URL (https://\/\/kms/xks/v1) and SigV4 credentials required to communicate with the proxy are configured correctly in KMS.
484 | * It is used to ensure that the XKS Proxy is ready to handle other API requests (encrypt/decrypt/getKeyMetadata)
485 | * It is used to gather information for proactively monitoring availability risks and processing KMS customer requests to raise the Transactions Per Second (TPS) limit on their external key manager.
486 |
487 | Before returning a successful response (HTTP 200 OK), the XKS Proxy SHOULD verify not only that the external key manager is reachable but is also able to perform cryptographic operations, i.e. the health-check SHOULD be deep rather than shallow. The health check should be implemented such that a successful check provides strong assurance that an encrypt, decrypt or getKeyMetadata request issued immediately after will succeed (except due to authorization checks). The XKS Proxy SHOULD create test keys in the external key manager and invoke cryptographic operations on them as part of the deep Healthcheck.
488 |
489 | This API MUST be excluded from [secondary authorization](#authorization) if the XKS Proxy implements such authorization.
490 |
491 | **HTTP Method:** POST
492 |
493 | **URI:** https://\[/\]/kms/xks/v1/health
494 |
495 | **Request Payload Parameters:**
496 | The HTTP body of the request only contains the requestMetadata.
497 |
498 | 1. **requestMetadata** - Nested structure which contains request metadata.
499 | 1. **kmsRequestId** - This is the requestId of the call made by AWS KMS as part of a periodic health check which is visible in AWS CloudTrail. The XKS proxy SHOULD log this field to allow a customer to correlate AWS CloudTrail entries with log entries in the XKS Proxy. This field typically follows the format for [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier)s but the XKS Proxy MUST treat this as an opaque string and MUST NOT perform any validation on its structure. This field is REQUIRED.
500 | 2. **kmsOperation** - This is the KMS API call that resulted in the XKS Proxy API request. This field is REQUIRED. The kmsOperation is set to `CreateCustomKeyStore`, `ConnectCustomKeyStore` or `UpdateCustomKeyStore` when the GetHealthStatus API is called as part of those KMS APIs. This field is set to KmsHealthCheck when GetHealthStatus is called periodically to get health status for publishing to CloudWatch metrics. The XKS Proxy MUST NOT reject a request as invalid if it sees a kmsOperation other than those listed for this API call.
501 |
502 | **NOTE**: AWS KMS does not have a public HealthCheck API. KmsHealthCheck is used only to indicate that the GetHealthStatus XKS API was called by AWS KMS asynchronously from any KMS APIs.
503 |
504 | **Request Payload Syntax:**
505 |
506 | ```
507 | {
508 | "requestMetadata": {
509 | "kmsRequestId": string,
510 | "kmsOperation": string
511 | }
512 | }
513 | ```
514 |
515 | **Request Payload Example:**
516 |
517 | ```
518 | {
519 | "requestMetadata": {
520 | "kmsRequestId": "4112f4d6-db54-4af4-ae30-c55a22a8dfae",
521 | "kmsOperation": "CreateCustomKeyStore"
522 | }
523 | }
524 | ```
525 |
526 | **Response Payload Parameters:**
527 |
528 | The following attributes MUST be present in response payload:
529 |
530 | 1. **xksProxyFleetSize** - Size of XKS proxy fleet. This MUST be an integer greater than zero.
531 | 2. **xksProxyVendor** - Name of the XKS Proxy vendor, this could be different from the name of the external key manager vendor. Both MUST be included even if they are the same.
532 | 3. **xksProxyModel** - Model of the XKS Proxy. This SHOULD include the product name and version.
533 | 4. **ekmVendor** - Name of the external key manager vendor.
534 | 5. **ekmFleetDetails.id** - Unique identifier for the external key manager in the external key manager cluster.
535 | 6. **ekmFleetDetails.model** - Model of the external key manager. This SHOULD include the product name, version of the hardware and any other information that would be useful in troubleshooting and estimating TPS capacity.
536 | 7. **ekmFleetDetails.healthStatus** - Status of health check on the external key manager from XKS proxy. The possible statuses are `ACTIVE`, `DEGRADED` and `UNAVAILABLE`. `ACTIVE` means that external key manager is healthy, `DEGRADED` means that external key manager is unhealthy but can still serve traffic and `UNAVAILABLE` means that external key manager is unable to serve traffic.
537 |
538 | The response MUST have at least one and no more than ten entries in ekmFleetDetails.
539 | **Required Parameters:** ALL
540 |
541 | **Success Response Code:** 200 (for errors, see [Error Codes](#error-codes))
542 |
543 | **Response Payload Syntax:**
544 |
545 | ```
546 | {
547 | "xksProxyFleetSize": number, // integer, greater than zero
548 | "xksProxyVendor": string,
549 | "xksProxyModel": string,
550 | "ekmVendor": string,
551 | "ekmFleetDetails": [ // array of entries, one per external key manager
552 | {
553 | "id": string,
554 | "model": string,
555 | "healthStatus": string
556 | }
557 | ...
558 |
559 | ]
560 | }
561 | ```
562 |
563 | **Response Payload Example:**
564 |
565 | ```
566 | {
567 | "xksProxyFleetSize": 2,
568 | "xksProxyVendor": "Acme Corp",
569 | "xksProxyModel": "Acme XKS Proxy 1.0",
570 | "ekmVendor": "Thales Group",
571 | "ekmFleetDetails": [
572 | {
573 | "id": "hsm-id-1",
574 | "model": "Luna 5.0",
575 | "healthStatus": "DEGRADED"
576 | },
577 | {
578 | "id": "hsm-id-2",
579 | "model": "Luna 5.1",
580 | "healthStatus": "ACTIVE"
581 | }
582 | ]
583 | }
584 | ```
585 |
586 |
587 |
588 | **KMS Considerations:**
589 |
590 | KMS invokes the GetHealthStatus to validate the XKS Proxy’s endpoint and authentication key when a customer calls the `CreateCustomKeyStore` or `UpdateCustomKeyStore` or `ConnectCustomKeyStore` APIs.
591 |
592 | KMS also invokes this API periodically (once every few minutes) asynchronous to any KMS API calls to gather information that is used to determine the health status of the external key manager, potential availability risks (e.g. if the count of external key managers in the cluster drops to one) and its performance capabilities (e.g. if a KMS operator receives a request to raise the Transactions-per-second (TPS) limit for a specific external key manager). The default TPS limit for external key stores is 1800 but customers can request an increase if they can show their XKS Proxy and backing external key manager cluster are appropriately provisioned.
593 |
594 | KMS also monitors the latency and availability of all XKS Proxy API calls and publishes them as CloudWatch metrics that are made available in the KMS console on the details page for an external key store.
595 |
596 | If the XKS Proxy invokes an encrypt or decrypt operation in the external key manager as part of this API, it SHOULD do so using a test key in the external key manager rather than a key associated with a KMS key. Otherwise, customers will see periodic cryptographic calls on these keys in the XKS Proxy or external key manager log and they may find it confusing or suspicious to see this activity without corresponding KMS API calls in CloudTrail.
597 |
598 | If KMS does not receive a response from the XKS proxy for any API call within 250ms, KMS will time out and the corresponding KMS API call will fail. For some external key managers, performing a deep health check might take longer than 250 ms. For these situations, the XKS Proxy MAY run these health checks periodically on its own (asynchronously with any XKS API calls from KMS) and return a cached result to KMS. The cached result MUST not be older than one minute.
599 |
600 |
601 |
602 | ## Error codes
603 |
604 | We use standard HTTP error codes but leverage the HTTP body for disambiguation/additional details, e.g. multiple kinds of errors map to HTTP 400. The HTTP body includes a JSON object with `errorName` and an optional `errorMessage`. The table below shows the HTTP error code and Error Name returned by the XKS proxy to signal various error conditions for different APIs. Column 3 indicates the scenario when the corresponding error is returned and column 4 lists the applicable XKS proxy APIs. The `errorMessage`, if included, MUST be less than 512 characters in length and only use printable ASCII characters, i.e. hex values 0x20 (space) through 0x7e (tilde).
605 |
606 |
607 |
608 | | Error Code | Error Name | Error Scenario | XKS proxy
APIs |
609 | |------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------|
610 | | 400 | ValidationException | The request was rejected because one
or more input parameters is invalid. | ALL except
GetHealthStatus |
611 | | 400 | InvalidStateException | The request was rejected because the
specified external key or key store is
disabled, deactivated or blocked. | ALL |
612 | | 400 | InvalidCiphertextException | The request was rejected because the
specified ciphertext, initialization vector,
additional authenticated data or
authentication tag is corrupted, missing,
or otherwise invalid. | Decrypt |
613 | | 400 | InvalidKeyUsageException | The request was rejected because the
specified key does not support the
requested operation. | Decrypt,
Encrypt |
614 | | 401 | AuthenticationFailedException | The request was rejected due to
invalid AWS SigV4 signature. | ALL |
615 | | 403 | AccessDeniedException | The request was rejected because the
operation is not authorized based on
request metadata. | ALL except
GetHealthStatus |
616 | | 404 | KeyNotFoundException | The request was rejected because the
specified external key is not found. | ALL except
GetHealthStatus |
617 | | 404 | InvalidUriPathException | The request was rejected because the
specified URI path is not valid. | ALL |
618 | | 429 | ThrottlingException | The request was rejected because the
request rate is too high. The
proxy may send this either because
it is unable to keep up or the caller
exceeded its request quota. | ALL |
619 | | 501 | UnsupportedOperationException | The request was rejected because the
specified cryptographic operation is not
implemented, or if a parameter value
exceeded the maximum size that is
currently supported by a specific
implementation beyond the minimize size
required by this API specification. | ALL |
620 | | 503 | DependencyTimeoutException | The XKS proxy timed out while trying to
access a dependency layer to fulfill the
request. | ALL |
621 | | 500 | InternalException | This is a generic server error. For example,
this exception is thrown due to failure of
the backing key manager, or failure of a
dependency layer. | ALL |
622 |
623 |
624 |
625 |
626 | **Example:**
627 | The following example illustrates a failure when a decrypt operation is called on an external key with ciphertext that was created using a different value of the additionalAuthenticatedData (AAD) field. The optional `errorMessage` field allows the proxy to provide additional details on the cause of failure.
628 |
629 | **HTTP Error Code:** 400 (Bad Request)
630 | **Response Payload Example**:
631 |
632 | ```
633 | {
634 | "errorName": "InvalidCiphertextException", // required
635 | "errorMessage": "The request was rejected because the specified ciphertext, or additional authenticated data is corrupted, missing, or otherwise invalid." // optional
636 | }
637 | ```
638 |
639 | **KMS Considerations:**
640 |
641 | While the external key store feature introduces new failure scenarios in exisiting KMS APIs, KMS cannot introduce new exceptions without breaking backward compatibility for other AWS services that call KMS. Instead, KMS will use the exception message string to communicate what went wrong and what to do about it. The following table shows the new KMS exception messages introduced by the External Key Store feature and situations when those messages are used.
642 |
643 | When the XKS proxy returns a JSON formatted response with `errorName`, KMS will use the `errorName` to determine the exception message as shown. Depending on the KMS API being invoked, the same failure scenario can result in different exceptions but the exception message will be the same. KMS will not include the `errorMessage` returned by the proxy in the error message it returns to a KMS caller. Instead, KMS will log that string in Amazon CloudWatch Logs for the calling account.
644 |
645 | If an XKS proxy returns an HTTP error code without a JSON-formatted body or any other type of malformed response, the KMS exception message will be generic and say "AWS KMS cannot interpret the response from the external key store proxy. If you see this error repeatedly, report it to your external key store proxy administrator."
646 |
647 |
648 |
649 |
650 | | Failure Scenario | KMS Exception
(KMS Operation) | KMS Exception
Message |
651 | |---------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
652 | | Proxy returns a
ValidationException | XksProxyInvalidResponseException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | AWS KMS cannot interpret the
response from the external
key store proxy. If you see
this error repeatedly, report
it to your external key store
proxy administrator. |
653 | | Proxy returns an
InvalidStateException | XksKeyInvalidConfigurationException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key associated
with this KMS key in an
external key store is not
enabled in the external key manager.
Enable the external key in
the external key manager and retry
the request. |
654 | | Proxy returns an
InvalidCiphertextException | KMSInvalidStateException
(Decrypt, ReEncrypt) | The external key store proxy
rejected the request because
the specified ciphertext or
encryption context is corrupted,
missing, or otherwise invalid. |
655 | | Proxy returns an
invalid ciphertext | KMSInvalidStateException
(Decrypt, ReEncrypt) | The ciphertext that the external
key store proxy submitted for
decryption, or the encryption
context, is corrupted, missing,
or otherwise invalid. |
656 | | Proxy returns an
InvalidKeyUsageException | XksKeyInvalidConfigurationException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key associated
with this KMS key in an
external key store does not
support the requested operation.
Enable the operation on the
key in your external key manager,
and try the request again. |
657 | | Proxy returns an
AuthenticationFailedException | XksProxyIncorrectAuthentication
CredentialException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key store proxy
rejected the request because
it could not authenticate AWS
KMS. Verify the XKS proxy
authentication credentials for
your external key store and
update if necessary. |
658 | | Proxy returns an
AccessDeniedException | KMSInvalidStateException
(CreateKey, Crypto operations) | The external key store proxy
denied access to the operation.
Verify that the user and the
external key are both
authorized for this operation,
and try the request again. |
659 | | Proxy returns a
KeyNotFoundException | XksKeyNotFoundException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key associated
with this KMS key in an
external key store was not
found in its external key manager. If
the external key ID associated
with this KMS key is incorrect,
create a new KMS key with the
correct external key ID. |
660 | | Proxy returns an
InvalidUriPathException | XksProxyInvalidConfigurationException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key store proxy
rejected the request because
of an invalid URI path. Verify
the URI path for your external
key store and update if
necessary. |
661 | | Proxy returns an
UnsupportedOperationException | XksKeyInvalidResponseException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key store proxy
rejected the request because
it does not support the
requested operation. If you
see this error repeatedly,
report it to your external
key store proxy administrator. |
662 | | Proxy returns a
DependencyTimeoutException | XksProxyUriUnreachableException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key store proxy
did not respond to the request
in the time allotted. Retry
the request. If you see this
error repeatedly, report it
to your external key store
proxy administrator. |
663 | | Proxy returns a
ThrottlingException | XksProxyUriUnreachableException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key store proxy
rejected the request due to
a very high request rate.
Reduce the frequency of your
calls using KMS keys in this
external key store. |
664 | | Proxy returns
an InternalException | XksProxyInvalidResponseException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | The external key store proxy
rejected the request because
it cannot communicate with the
external key manager. Verify that the
external key store proxy
configuration is correct and
that the external key manager is
available. |
665 | | AWS KMS cannot establish
a TCP connection | XksProxyUriUnreachableException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | AWS KMS cannot communicate
with the external key store
proxy. This might be a transient
network issue. If you see this
error repeatedly, verify that
your external key store proxy
is active and is connected to
the network, and that its
endpoint URI is correct in your
external keystore. |
666 | | AWS KMS cannot establish
a TLS connection | XksProxyUriUnreachableException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | AWS KMS cannot establish a
TLS connection to the external
key store proxy. Verify the
TLS configuration, including
its certificate. |
667 | | AWS KMS encounters
a socket timeout | XksProxyUriUnreachableException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | AWS KMS rejected the request
because the external key store
proxy did not respond in time.
Retry the request. If you see
this error repeatedly, report
it to your external key store
proxy administrator. |
668 | | Proxy returns
a malformed response | XksProxyInvalidResponseException
(Create/UpdateCustomKeyStore)
CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | AWS KMS cannot interpret the
response from the external
key store proxy. If you see
this error repeatedly, report
it to your external key store
proxy administrator. |
669 | | Custom key store is
not in CONNECTED
state | CustomKeyStoreInvalidStateException
(CreateKey)
KMSInvalidStateException
(Cryptographic operations) | This KMS key is in a custom
key store that is not connected
to its external key store proxy.
Connect the external key store
and try the request again. |
670 |
671 |
672 |
673 |
674 | ## Authentication
675 |
676 | Communication between the XKS Proxy Management Fleet and XKS Proxy MUST be protected by HTTPS. Standard TLS server-side authentication MUST be used to authenticate the XKS Proxy to the XKS Proxy Management Fleet, i.e. the DNS domain name of the XKS Proxy endpoint must match the hostname specified in its server certificate. The proxy's certificate MUST be issued by one of [these public certificate authorities](TrustedCertificateAuthorities) for AWS KMS to successfully authenticate the proxy.
677 |
678 | Customers use the KMS `CreateCustomKeyStore` API to create a custom key store of type `EXTERNAL_KEY_STORE`. As part of this API call, customers specify the XKS Proxy API endpoint and credentials. The credentials include an access key id and a secret access key which are used by AWS KMS to [sign](https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html) all XKS Proxy API requests using [AWS SigV4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). The same credentials are also configured by the customer at the XKS Proxy so the proxy can verify the signature independent of AWS authentication and authorization. Anyone who possesses this secret access key can make successful API calls to the XKS Proxy. The XKS Proxy administrator must ensure that this secret is not exposed to unauthorized users. [Appendix A](#appendix-a-using-sigv4-to-sign-xks-proxy-requests) describes SigV4 usage for signing requests from AWS KMS to the XKS Proxy.
679 |
680 | An XKS proxy MUST support SigV4-based authentication of XKS API requests. Additionally, an XKS proxy SHOULD support client-side TLS authentication (aka mutual TLS or mTLS). If the XKS proxy supports mTLS, it MUST allow the customer to configure both the subject name and the root certificate authority (CA) for the client certificate. The XKS proxy MUST terminate the TLS handshake if the client presents a certificate containing a different subject name or chained to a different certificate authority. When prompted for TLS client authentication by an XKS proxy, KMS will present a certificate with a subject common name (CN) containing the service principal `cks.kms..amazonaws.com`. For example, in eu-west-1 (Ireland), KMS will present a client certificate with CN=`cks.kms.eu-west-1.amazonaws.com`. This certificate will be chained to one of the certificate authorities associated with [Amazon Trust Services](https://www.amazontrust.com/repository/). Customers that wish to authenticate AWS KMS via mTLS MUST configure their XKS proxy to only accept client-side certs with CN=`cks.kms..amazonaws.com` and chained to one of the Amazon Trust Services CAs. If the shared secret used in SigV4 signing is accidentally exposed to an unauthorized entity, that entity will not be able to make successful XKS API calls if the proxy only allows mTLS connections from AWS KMS.
681 |
682 |
683 | ### SigV4 credentials rotation
684 |
685 | In accordance with security best practices, customers will want to periodically change the SigV4 credentials used to sign requests to their XKS proxy and they will prefer to do so without disrupting any workflows using XKS keys. XKS proxies SHOULD support simultaneous usage of at least two sets of SigV4 credentials for each path-prefix (each set consisting of an access key id and a secret access key). XKS proxies SHOULD allow changes to these credentials to take effect without disconnecting or shutting down the XKS proxy. With such a proxy, a customer can rotate the SigV4 credentials using the following sequence of steps:
686 |
687 | 1. Change the proxy configuration to add a new set of credentials and activate the new credentials. This will cause the proxy to start accepting signatures generated using either the old or the new set of credentials. The signature creator includes the access key id in an HTTP header to identify the secret used to generate the signature. The proxy will be able to use the access key id to verify the signature with the correct secret.
688 | 1. Call the AWS KMS `UpdateCustomKeyStore` API passing in the new credentials
689 | 1. After some time, all hosts in AWS KMS will switch over to using the new credentials
690 | 1. Change the proxy configuration to remove the old credentials
691 |
692 | ## Authorization
693 |
694 | Customers interested in External Key Store support in KMS have asked for greater control not only on the location of the key material but also access to it. The XKS Proxy MAY use information presented as part of the request (e.g. in the requestMetadata or HTTP Authorization header) to implement another layer of fine-grained authorization controls besides those implemented by AWS policies.
695 |
696 | [Open Policy Agent](https://www.openpolicyagent.org/) (OPA) provides a powerful and flexible mechanism for implementing authorization checks based on policies and inputs that are specified in JSON format (see role-based access control and attribute-based access control [examples](https://play.openpolicyagent.org/)). The availability of open-source software and tools for OPA should lower the barrier for implementors to incorporate it in their XKS Proxy.
697 |
698 | NOTE: Since we allow creation of KMS keys based on previously created external keys, user Bob can create a KMS key B in his AWS account using the same external key that user Alice used to create a KMS key A in her AWS account.
699 | The ciphertext produced by calling the KMS Encrypt API for a symmetric key cryptographically binds an identifier of the backing key (the HBKid) to the ciphertext. As a result, ciphertext created by Alice using key A cannot be decrypted successfully by Bob using key B (even though both keys correspond to the same key material). However, there is no such binding for asymmetric keys. Future support for asymmetric KMS keys in external key stores can open up the possibility of a confused deputy attack - Bob is able to get KMS to decrypt data encrypted for Alice by fooling KMS into creating a key with the same underlying key material as Alice’s. To mitigate these types of issues, the XKS Proxy SHOULD support authorization, e.g. it SHOULD be possible for a customer to configure an external key to be usable only by specific AWS callers.
700 |
701 | For XKS Proxy requests that fail due to an AccessDenied error, XKS Proxy SHOULD record sufficient details in the log to help customers identify and fix the underlying issue with the OPA policy.
702 |
703 | ## Logging
704 |
705 | Introducing an external key manager with its own secondary authorization checks can complicate troubleshooting when things don’t work as expected. It is therefore important to log enough information on XKS Proxy and/or the external key managers to help with audit and debugging. In general, request metadata included with each API call SHOULD be logged by the XKS Proxy. The kmsRequestId field is particularly important to allow a customer to correlate AWS CloudTrail entries with log entries in XKS Proxy.
706 |
707 | Sensitive information such as the plaintext passed as input to the encrypt call or returned from the decrypt call MUST NOT be logged and appropriate measures must be used to ensure the integrity of the logs.
708 |
709 | XKS Proxy and/or the external key manager MAY log additional information such as the identifier of the specific key manager that processed a request when multiple key managers serve requests for one XKS Proxy endpoint (e.g. when an key manager cluster is used in a high-availability configuration). For AccessDenied errors resulting from secondary authorization, XKS Proxy SHOULD also log the specific statement in the policy statement responsible for the denial. For performance monitoring, the XKS Proxy SHOULD log the processing time for each XKS API request, whether the request was successful and the error if the request was unsuccessful. The XKS proxy MAY choose to log this information to AWS Cloudwatch which provides in-built tools to visualize and analyze metrics. Doing so will simplify troubleshooting because the customer will be able to see metrics recorded both at the XKS proxy and within KMS in the same Cloudwatch account.
710 |
711 |
712 | ## Testing
713 |
714 | We’ll make a test suite available which customers or vendor partners can use to test their XKS Proxy implementation. The code will need to be configured with an XKS Proxy endpoint and a set of external key Ids for previously created keys in the external key manager. The code will then exercise the APIs described in this document running both positive and negative test cases and output a report on the success/failure of these tests.
715 |
716 | ## Other considerations
717 |
718 | ### Load balancer health checks
719 | In a production environment, an XKS proxy will likely be placed behind some type of a load balancer for resilience. Load balancers have a mechanism to poll request targets for their health status. If a target is detected as unhealthy, the load balancer will stop forwarding requests to that target until it recovers. This health check mechanism varies across load balancers but often involves a simple HTTP or HTTPS GET request to a configurable URL. A 200 OK response is interpreted as a sign of good health. In addition to the APIs mentioned above, an XKS Proxy MUST also implement the necessary health checks for the load balancers it intends to support.
720 |
721 | Exposing the XKS Proxy as a VPC endpoint service in a customer’s Amazon VPC requires the proxy to be placed behind an AWS Network Load Balancer (NLB). Refer to the AWS NLB [public documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html) to learn about its health check mechanisms.
722 |
723 | ### XKS proxy configuration in AWS KMS console
724 | The AWS KMS console accepts a JSON file for specifying the XKS proxy credentials and URI endpoint during the creation or editing of a custom key store. It eliminates the error-prone process of having the user type long random credential strings into the AWS KMS console. An example file is shown below. XKS proxy implementations that incorporate a user interface SHOULD allow appropriately authenticated and authorized users to download this JSON file for use with the AWS KMS console.
725 |
726 |
727 | **XKS Proxy Configuration File Syntax:**
728 | ```
729 | {
730 | "XksProxyUriPath": string, // for version 1, this ends in "/kms/xks/v1"
731 | "XksProxyAuthenticationCredential": {
732 | "AccessKeyId": string, // 20-30 characters, 'A' through 'Z' and '2' through '7' only
733 | "RawSecretAccessKey": string, // 43-64 characters, a-z, A-Z, 0-9, /, +, and =
734 | }
735 | ```
736 |
737 | **XKS Proxy Configuration File Example:**
738 | ```
739 | {
740 | "XksProxyUriPath": "/keystores/4a0d79d6-1d1b-49fd-9dbe-799cb9c0fb3f/kms/xks/v1",
741 | "XksProxyAuthenticationCredential": {
742 | "AccessKeyId": "AKIAI2SFODNN7EXAMPLE",
743 | "RawSecretAccessKey": "FYtE5EFA5FT0mCc3DrGUe2sti527BitkQ0Zr9MO9fvE"
744 | }
745 | }
746 | ```
747 |
748 | ### Troubleshooting
749 | Customers preparing their XKS proxy for use with KMS will need the ability to test that the proxy can process XKS API requests correctly and do so within the KMS timeout threshold. [`curl`](https://curl.se/) is a command line tool that can be used to generate HTTP requests. Newer versions of `curl` (starting with `curl` 7.75 released in Feb 2021) support AWS SigV4 signatures. Due to its ubiquity, `curl` is an invaluable debugging tool. While other tools like `ping` and `traceroute` can only help test network connectivity, `curl` with AWS SigV4 can be used to send XKS API requests and instrument those requests.
750 |
751 | The sample bash script and its output in [Appendix D](#appendix-d-using-curl-for-xks-api-calls) illustrate how `curl` can be used to make an XKS API call and measure the time spent in different phases of the interaction. Refer to the `curl` [man page](https://man7.org/linux/man-pages/man1/curl.1.html) for details.
752 |
753 |
754 |
755 |
756 | ## Appendix A: Using SigV4 to sign XKS proxy requests
757 |
758 | AWS SigV4 requires a shared secret (called the _secret access key_) to compute the signature and an _access key id_ which uniquely identifies the secret. Both these values must be configured into KMS as part of the `CreateCustomKeyStore` API call. The choice of access key id and secret access key MUST meet the following guidelines:
759 |
760 | * Each secret access key should be a hard-to-guess UTF-8 string with at least 256-bits of entropy. One way to generate a good secret access key is to Base64 encode a 256-bit random value, e.g. using `openssl rand 32 | base64`. KMS will accept any combination of characters A through Z, a through z, 0 through 9, plus (+), slash (/) and equals (=).
761 | * The access key id is a random string of length no less than 20 characters and no more than 30 characters. The only characters allowed are uppercase ‘A’ through ‘Z’ and the digits ‘2’ through ‘7’.
762 | * An access key id must uniquely identify a secret access key, i.e. when an XKS Proxy receives an access key id in the Authorization header of an HTTP request, it MUST be able to identify the secret access key to be used for signature verification without any ambiguity.
763 | * The access key id MUST NOT reveal any information about the secret access key
764 | * The secret access key and access key id configured at an XKS proxy are unrelated to credentials associated with any AWS IAM principal
765 |
766 | SigV4 uses the same key for verification as the one used for creating the signature. As part of signature verification, the XKS Proxy will recreate the signature using the authentication-key in the same manner as the the XKS Proxy Management Fleet and confirm that the computed signature matches the signature in the request. The overall steps to compute a SigV4 signature are described in the [AWS General Reference](https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html) which also includes [sample code](https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html). The rest of this Appendix provides additional details on the verification process.
767 |
768 | Each API request from the XKS Proxy Management Fleet to the XKS Proxy will include an HTTP Authorization header containing the SigV4 signature. The general format of this header is shown below but the actual value of the access key id, date, Region and signature will vary for each request.
769 |
770 | General format:
771 | NOTE: Line breaks have been added for readability but the entire header is sent as a single line. Note that only a space separates “AWS4-HMAC-SHA256” and “Credential” (there is no comma)
772 |
773 | ```
774 | Authorization: AWS4-HMAC-SHA256
775 | Credential=///kms-xks-proxy/
776 | aws4_request, SignedHeaders=host;x-amz-date, Signature=
777 | ```
778 |
779 | Example:
780 | NOTE: Line breaks have been added for readability but the entire header is sent as a single line
781 |
782 | ```
783 | Authorization: AWS4-HMAC-SHA256
784 | Credential=MUBSXM6K3KMXHN6RRCXI7TWQH4NU76HYFKRSESPMTSTIBADXQQXQ/20211009/us-west-2/
785 | kms-xks-proxy/aws4_request,
786 | SignedHeaders=host;x-amz-date,
787 | Signature=1164eaa8e79eacaa9c0df54aa42f3b300380d14bedfc08e3b319648d4abfff66
788 | ```
789 |
790 |
791 | The date immediately following the access key id indicates the date the request was sent in YYYYMMDD format using the UTC timezone. The next field is the AWS Region (such as us-east-1 or eu-west-1). This is typically the Region in which an AWS SigV4 request is received but, for this specification, it indicates Region from which KMS called the XKS Proxy. The service indicator is the name of the service receiving the request and we use `kms-xks-proxy` for this specification. The "[StringToSign](https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html)" over which the SigV4 signature is computed includes a "HashedCanonicalRequest" and the CanonicalRequest includes a set of HTTP headers from the request. All XKS Proxy requests initiated by the XKS Proxy Management Fleet will include the Host and X-Amz-Date headers in the signature. This is indicated by setting the SignedHeaders to host;x-amz-date when using HTTP/1.1.
792 |
793 |
794 |
795 | ### Task 1: Create a canonical request
796 |
797 | The XKS Proxy will follow the steps outlined [here](https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html) to create a canonical request. The HTTPRequestMethod will be POST for all requests from KMS. The CanonicalURI will be the API URI starting with `//kms/xks/v1`, e.g. the CanonicalURI for an encrypt API will look like
798 | `//kms/xks/v1/keys//encrypt` (more in the section on the Encrypt API below). The CanonicalQueryString for the XKS Proxy API calls will be “” because the APIs described in this specification do not use query parameters. The CanonicalHeaders will include the headers from the SignedHeaders element of the Authorization. At the very least, this will include the Host header for HTTP/1.1 (or Authority Header for HTTP/2.0) containing the `:` from the XKS Proxy endpoint and the X-Amz-Date header containing the UTC timestamp (formatted as YYYYMMDD’T’HHMMSS’Z’) of the request. A hex encoding of the SHA-256 hash of the request payload (which includes the requestMetadata and any additional API input) forms the final part of the CanonicalRequest.
799 |
800 | ### Task 2: Create a string to sign
801 |
802 | The next step outlined [here](https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html) composes the StringToSign. The Algorithm is always `AWS4-HMAC-SHA256,` the RequestDateTime is taken from the X-Amz-Date header, the CredentialScope is taken from the Credential element in the Authorization header and a SHA-256 hash of the CanonicalRequest from Task 1 (encoded a as lower-case hex string) is the HashedCanoicalRequest.
803 |
804 | ### Task 3: Calculate the signature
805 |
806 | Use the access key id from the Authorization header to look up the . Derive the signing key using the Date, Region and service fields from the Credential element in the Authorization header (the service is `kms-xks-proxy`) and compute the signature as described [here](https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html).
807 |
808 | ### Task 4: Match the signature
809 |
810 | Verify that the signature computed at the end of Task 4 is the same as that included in the Authorization header. A match indicates successful signature verification.
811 |
812 | Besides signature verification, the XKS Proxy MUST also ensure that the timestamp on the request is “recent” (while accommodating for network latency and potential clock drift between the XKS Proxy Management Fleet and the XKS Proxy) to protect against replay attacks. Any requests more than 5 minutes in the past (or future, due to clock drift) SHOULD fail authentication..
813 |
814 |
815 |
816 | ## Appendix B: RequestMetadata fields
817 |
818 | The sections on individual XKS proxy APIs define which fields are included as part of the `requestMetadata`. Over time, AWS KMS may choose to include additional fields such as [`SourceIdentity`](https://aws.amazon.com/blogs/security/how-to-relate-iam-role-activity-to-corporate-identity/), `kmsRecipientAttestationImage Sha384`, `kmsRecipientAttestationPCR` (as described in [AWS KMS condition keys for AWS Nitro Enclaves](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-nitro-enclaves)) and tags associated with the AWS principal and KMS key.
819 |
820 | Secondary authorization is an optional feature for XKS proxies. XKS proxy vendors have the flexibility to define the policy language used to express access control rules and the `requestMetadata` fields that can be used in access control policies.
821 |
822 |
823 |
824 |
825 | ## Appendix C: Ciphertext Data Integrity Value (CDIV) implementation guidelines
826 |
827 | When an Encrypt request specifies a `ciphertextDataIntegrityAlgorithm`, the corresponding response MUST include a `ciphertextDataIntegrityValue`. This section describes how this value is computed. Here, the `additionalAuthenticatedData` field is from the input of the XKS proxy encrypt API call and other fields are from the output of the encrypt API call. The `ciphertextDataIntegrityValue` is the Base64 encoded SHA-256 hash computed over the decoded
828 |
829 | ```
830 | additionalAuthenticatedData || ciphertextMetadata || initializationVector || ciphertext || authenticationTag
831 | ```
832 | Here "`||`" represents concatenation. The empty string "" is the identity value for concatentation, so `(A || "") = ("" || A) = A`.
833 |
834 | The `additionalAuthenticatedData` in the request and the `ciphertextMetadata` in the response are optional. If a field is not present, use the empty string "" for it in the hash computation. For example, if the request includes `additionalAuthenticatedData` but the response does not include `ciphertextMetadata`, the hash is computed over the decoded
835 | ```
836 | additionalAuthenticatedData || "" || initializationVector || ciphertext || authenticationTag
837 | ```
838 | which is equivalent to
839 | ```
840 | additionalAuthenticatedData || initializationVector || ciphertext || authenticationTag
841 | ```
842 |
843 | The CDIV shown in the Encrypt response example is computed as follows. The encrypt request includes 33-bytes of AAD, and the response has 13-bytes of ciphertext metadata, 12-bytes of initialization vector, 12 bytes of ciphertext (same size as plaintext because AES-GCM is a stream cipher) and a 16-byte authentication tag. If we concatenate the `additionalAuthenticatedData`, `ciphertextMetadata`, `initializationVector`, `ciphertext` and the `authenticationTag`
844 | (in that order), we get an array of (33 + 13 + 12 + 12 + 16) = 86 bytes. The contents of that array (in hex) are:
845 |
846 | ```
847 | 70 72 6f 6a 65 63 74 3d 6e 69 6c 65 2c 64 65 70 // 33 bytes of AAD
848 | 61 72 74 6d 65 6e 74 3d 6d 61 72 6b 65 74 69 6e
849 | 67
850 | 6b 65 79 5f 76 65 72 73 69 6f 6e 3d 31 // 13 bytes of ciphertextMetadata
851 | 1c ca e5 47 0f 39 70 02 54 77 90 31 // 12 bytes of initialization vector
852 | 82 1c 64 2b 5b 71 78 33 67 de af 18 // 12 bytes of ciphertext
853 | bc 1c 4d da 77 07 d6 81 24 47 c5 95 5e 99 b2 61 // 16 bytes of authentication tag
854 | ```
855 |
856 | The SHA256 hash of these 86 bytes is ```a8703f2260bd8791ec2d15ea0b23e65a0631eedcf2a13a65cc82db3f47cf5ec7``` (hex) which corresponds to ```"qHA/ImC9h5HsLRXqCyPmWgYx7tzyoTplzILbP0fPXsc="``` (Base64)
857 |
858 | NOTE: The CDIV is meant to protect against non-malicious bit flips so the computation does not incorporate the lengths of individual fields in the overall concatenation.
859 |
860 | The recommended sequence of steps for the XKS Proxy to respond to a CDIV request are:
861 |
862 | 1. Make an encrypt request to the key manager and get the encrypt API output.
863 | 2. Compute CDIV as described above
864 | 3. Perform an XKS API decrypt call using the `additionalAuthenitcatedData` (if any, from the encrypt request) and `ciphertextMetadata` (if present, in the encrypt output), the `initializationVector`, the `ciphertext` and the `authenticationTag` fields from the encrypt output.
865 | 4. If the decryption is successful, return the encrypt API output from Step 1 along with the CDIV from Step 2. If the
866 | decryption fails, return an error or retry from Step 1.
867 |
868 | The ordering of the CDIV computation shown above is important. If CDIV computation is delayed until after the encryption output is used as input for the XKS decrypt API, any data corruption such as bit-flips that occur in the time after the decryption is initiated and the CDIV is computed will go undetected. The generated CDIV will still be consistent with the (now corrupted) fields in the encrypt output but future attempts to decrypt the ciphertext will fail.
869 |
870 |
871 | The following failure scenario highlights the importance of computing the CDIV before the decrypt:
872 |
873 | 1. XKS proxy makes an encrypt request to the key manager and gets the encryption output.
874 | 2. XKS proxy uses encryption output and the `additionalAuthenticcatedData` to perform a decrypt API call
875 | 3. Encrypt API output held inside the XKS Proxy is corrupted
876 | 4. Decrypt API request from Step 2 succeeds
877 | 5. XKS Proxy computes CDIV over the (now corrupted) encrypt API output
878 | 6. XKS Proxy returns encrypt API output which is consistent with the CDIV but any attempts to decrypt the
879 | encrypt API output will fail with InvalidCiphertextException.
880 |
881 |
882 |
883 | ## Appendix D: Using curl for XKS API calls
884 |
885 | A sample bash script illustrating the use of curl (version 7.75 or later) to send Encrypt and GetHealthStatus XKS API requests.
886 |
887 | ```
888 | #!/bin/bash
889 |
890 | # XKS proxy parameters
891 | XKS_PROXY_URI_ENDPOINT=https://xks.acme.com
892 | XKS_PROXY_URI_PATH=/path/kms/xks/v1
893 | ACCESS_KEY_ID=HGIE2BUAFNDMBCMSQVWLGCEXAMPLE
894 | SECRET_ACCESS_KEY=VU6W2byoiBrhDqNGbx703oL0syCAmhlQgwNUT123456
895 | XKS_KEY_ID=b42c7fbf-de61-441c-ae24-123456789012
896 |
897 |
898 |
899 | # See the -w option in curl
900 | cat > curl_metrics.txt << EOF
901 | http_version: %{http_version}\n
902 | url: %{url}\n
903 | request_body_size: %{size_upload}\n
904 | response_header_size: %{size_header}\n
905 | response_body_size: %{size_download}\n
906 | response_code: %{response_code}\n
907 | tls_verification(0=true): %{ssl_verify_result}\n
908 | start_to_dns_lookup: %{time_namelookup}s\n
909 | start_to_tcp_connect: %{time_connect}s\n
910 | start_to_tls_handshake: %{time_appconnect}s\n
911 | start_to_end: %{time_total}s\n
912 | EOF
913 |
914 |
915 | # Sending an Encrypt XKS API request using curl
916 | XKS_ENCRYPT_URI=${XKS_PROXY_URI_ENDPOINT}${XKS_PROXY_URI_PATH}/keys/${XKS_KEY_ID}/encrypt
917 |
918 | cat > xks_encrypt_request.json << EOF
919 | {
920 | "requestMetadata": {
921 | "awsPrincipalArn": "arn:aws:iam::123456789012:user/Alice",
922 | "kmsKeyArn": "arn:aws:kms:us-east-2:123456789012:/key/1234abcd-12ab-34cd-56ef-1234567890ab",
923 | "kmsOperation": "GenerateDataKey",
924 | "kmsRequestId": "4112f4d6-db54-4af4-ae30-c55a22a8dfae"
925 | },
926 | "plaintext": "SGVsbG8gV29ybGQh",
927 | "encryptionAlgorithm": "AES_GCM"
928 | }
929 | EOF
930 |
931 | # Send Encrypt API request, view response and timing data
932 | echo "Making Encrypt XKS API call ..."
933 | curl --aws-sigv4 "aws:amz:us-east-1:kms-xks-proxy" \
934 | --user ${ACCESS_KEY_ID}:${SECRET_ACCESS_KEY} \
935 | -X POST -H "Content-Type:application/json" \
936 | --data @xks_encrypt_request.json ${XKS_ENCRYPT_URI}
937 |
938 | echo
939 | echo
940 | echo "Collecting Encrypt metrics ..."
941 | curl --aws-sigv4 "aws:amz:us-east-1:kms-xks-proxy" \
942 | --user ${ACCESS_KEY_ID}:${SECRET_ACCESS_KEY} \
943 | -X POST -H "Content-Type:application/json" \
944 | --data @xks_encrypt_request.json \
945 | -w "@curl_metrics.txt" -o encrypt.out -s \
946 | ${XKS_ENCRYPT_URI}
947 |
948 |
949 |
950 | # Sending a GetHealthStatus XKS API request using curl
951 | XKS_GET_HEALTH_STATUS_URI=${XKS_PROXY_URI_ENDPOINT}${XKS_PROXY_URI_PATH}/health
952 |
953 | cat > xks_get_health_status_request.json << EOF
954 | {
955 | "requestMetadata": {
956 | "kmsOperation": "KmsHealthCheck",
957 | "kmsRequestId": "1124f4d6-db54-4af4-ae30-c55a22a8abcd"
958 | }
959 | }
960 | EOF
961 |
962 | # Send GetHealthStatus API request, view response and timing data
963 | echo "Making GetHealthStatus XKS API call ..."
964 | curl --aws-sigv4 "aws:amz:us-east-1:kms-xks-proxy" \
965 | --user ${ACCESS_KEY_ID}:${SECRET_ACCESS_KEY} \
966 | -X POST -H "Content-Type:application/json" \
967 | --data @xks_get_health_status_request.json ${XKS_GET_HEALTH_STATUS_URI}
968 |
969 | echo
970 | echo
971 | echo "Collecting GetHealthStatus metrics ..."
972 | curl --aws-sigv4 "aws:amz:us-east-1:kms-xks-proxy" \
973 | --user ${ACCESS_KEY_ID}:${SECRET_ACCESS_KEY} \
974 | -X POST -H "Content-Type:application/json" \
975 | --data @xks_get_health_status_request.json \
976 | -w "@curl_metrics.txt" -o encrypt.out -s \
977 | ${XKS_GET_HEALTH_STATUS_URI}
978 |
979 | ```
980 |
981 | Sample output from the script (some of the lines have been wrapped for readability):
982 |
983 | ```
984 | $ ./curl_test.sh
985 | Making Encrypt XKS API call ...
986 | {"ciphertext":"yhvo7e8vvg3UoCLP","initializationVector":"BejmaUXJA08WzxJZ",
987 | "authenticationTag":"2wsU/8i0OvB7JJkDJeiWSQ=="}
988 |
989 | Collecting Encrypt metrics ...
990 | http_version: 2
991 | url: https://xks.example.com/path/kms/xks/v1/keys/
992 | b42c7fbf-de61-441c-ae24-123456789012/encrypt
993 | request_body_size: 341
994 | response_header_size: 951
995 | response_body_size: 122
996 | response_code: 200
997 | tls_verification(0=true): 0
998 | start_to_dns_lookup: 0.007401s
999 | start_to_tcp_connect: 0.044307s
1000 | start_to_tls_handshake: 0.222367s
1001 | start_to_end: 0.304476s
1002 | Making GetHealthStatus XKS API call ...
1003 | {"xksProxyFleetSize":1,"xksProxyVendor":"Acme","xksProxyModel":"Acme AWS XKS Proxy 1.0","ekmVendor":"Acme","ekmFleetDetails":[{"id":"Id-1","model":"Acme HSM 1.0","healthStatus":"ACTIVE"}]}
1004 |
1005 | Collecting GetHealthStatus metrics ...
1006 | http_version: 2
1007 | url: https://xks.example.com/path/kms/xks/v1/health
1008 | request_body_size: 117
1009 | response_header_size: 951
1010 | response_body_size: 218
1011 | response_code: 200
1012 | tls_verification(0=true): 0
1013 | start_to_dns_lookup: 0.007785s
1014 | start_to_tcp_connect: 0.045904s
1015 | start_to_tls_handshake: 0.236103s
1016 | start_to_end: 0.310214s
1017 |
1018 |
1019 | ```
1020 |
1021 |
1022 |
1023 | ## Appendix E: Change log
1024 |
1025 | * Version 0.0.1: Based on Aviral’s internal doc. Mainly added use of RFC 2119 terminology and best practices guidance using SHOULDs, e.g. on separating keys using domains within the external key managers, marking them non-exportable etc
1026 | * Version 0.0.2: Incorporated feedback from Ken and vendor partner. Removed key lifecycle APIs from Faythe interface. Replaced External HSM with External Key Manager. Used standard error codes between Faythe and the XKS Proxy Management Fleet (we can still convert them before exposing them to KMS API caller). Message body is used for additional disambiguation/finer granularity in describing the error.
1027 | * Version 0.0.3 (Jul 30, 2021): Added notes to suggest the message signing mechanism is under review.
1028 | * Version 0.0.4 (Aug 16, 2021): Finalized AWS SIGv4 as the mechanism for signing Faythe API requests. Changed terminology from External Key Manager (EKM) to External Key Store. Added more fields in requestMetadata. Updated error codes. Changed GETs to POSTs.
1029 | * Version 0.0.5 (Sep 7, 2021): Added back support for Faythe proxy running in a customer’s VPC (on a non-publicly routable endpoint) in the architecture diagram.
1030 | * Version 0.0.6 (Sep 22, 2021): Added Appendix A on special considerations for using SigV4 in the context of this document and Appendix B on open questions. Updated terminology, e.g. replaced KMS internal fleet names with external names, Faythe is now the External Key Store Proxy or XKS Proxy, replaced eks in the URLs with xks, Replaced EncryptionContext with a generic AdditionalAuthenticatedData (AAD) field which simplifies the XKS Proxy implementation (because it no longer needs to worry about canonicalizing a set of key-value pairs) and allows KMS to include additional data, such as the proprietary ciphertext blob header, in the AAD.
1031 | * Version 0.0.7 (Sep 28, 2021): Relaxed the constraint on API endpoint to include a path-prefix, i.e. the endpoint can look like `https://://kms/xks/v1`, as opposed to
1032 | `https://:/kms/xks/v1.` Specified the set of allowed characters in an external key Id: uppercase or lowercase letters A through Z, digits 0 through 9 and the hyphen. Also added guidance on ensuring the secrets used for SigV4 verification are adequately protected.
1033 | * Version 0.0.8 (Oct 11, 2021): Updated high-level architecture diagram to eliminate the middle option since it was equivalent to the third option from a connectivity perspective. Clarified what error is thrown (IncorrectKeyException) if the externalKeyId passed to an API call for v1 corresponds to a key with a type other than AES-256. **Removed the `` from the endpoint URI because having that flexibility for the VPC-connectivity option introduces more complexity on the KMS API (this reverts a change that was introduced in Version 7).** Clarified that requests with a timestamp not within 5 minutes of the proxy’s timestamp should fail authentication. Updated ErrorMessage strings. Added a new error InvalidKeyUsageException which is thrown if the AES encrypt/decrypt operation is invoked on a key mean for different usage, e.g. for HMAC or asymmetric Sign/Verify. Removed the IncorrectKeyException for Decrypt because the operation cannot distinguish between IncorrectKeyException and IncorrectCiphertextException (look for strikethrough text in the Errors table).
1034 | * Version 0.0.9 (Oct 27, 2021): Re-introduced path-prefix in the XKS proxy endpoint, the endpoint can look like `https://://kms/xks/v1`, as opposed to
1035 | `https://:/kms/xks/v1`. Expanded the GetHealthStatus response to include information on multiple HSMs in a cluster. The additional information can be used by AWS KMS to process TPS limit increase requests from customers. Clarified that the proxy may create test keys (but not keys associated with KMS keys) and invoke cryptographic operation on them as part of a deep healthcheck. Clarified that this API MUST be excluded from authorization on the XKS Proxy.
1036 | * Version 0.0.10 (Nov 12, 2021): Mentioned the possibility of including KMS condition keys for AWS Nitro Enclaves in requestMetadata. Specified size of IV must be exactly 96 bits. Updated the description of plaintext and ciphertext for both Encrypt and Decrypt APIs to clarify the size of the the input the XKS Proxy must accept and the 20-byte limit on extra bytes it may add during encrypt. Added requirement on XKS Proxy to support up to 8192 bytes of AAD. Added the ability to request a Ciphertext Data Integrity Value (CDIV) in the Encrypt API. Added an example in the Encrypt API description illustrating CDIV computation. Removed authentication mechanism between KMS and XKS Proxy from the list of Open Issues: we are moving forward with a combination of TLS server-side authentication (for authenticating the XKS Proxy to KMS) and SigV4 (for authenticating KMS to the XKS Proxy).
1037 | * Version 0.0.11 (Jan 3, 2021): This version incorporates a number of recommendations received from internal and external feedback providers
1038 | * End GetKeyMetadata endpoint in “metadata” for consistency with other APIs
1039 | * Allow the IV to be either 12 or 16 bytes
1040 | * Rename keyState in GetKeyMetadata response to keyStatus to distinguish it from KMS keyState
1041 | * Require access key id to be specified independently (do not derive it from the Authentication secret)
1042 | * Specify keyUsage as a list, e.g. [“ENCRYPT”, “DECRYPT”]
1043 | * Change encryption algorithm to AES_GCM (instead of AES_GCM_256)
1044 | * Separate out vendor-specific data into its own field CiphertextMetadata, include it in CDIV computation example, and require it to be included in the computation of the authentication tag
1045 | * Improve text on health checks
1046 | * Remove IncorrectKeyException
1047 | * Allow underscore as a valid character in the externalKeyId
1048 | * Called out HTTP/1.1 or later and TLS 1.2 or later with specific cipher suites providing perfect forward secrecy.
1049 | * Version 0.0.12 (Feb 02, 2022): Updated the description for the keyArn field in request metadata associated with the GetKeyMetadata API (it is no longer REQUIRED, KMS will include it when the kmsOperation is DescribeKey but not for CreateKey). Added GetHealthStatus as one of the APIs that can throw an InvalidStateException.
1050 | * Version 0.0.13 (Feb 28, 2022): This version incorporates the following changes:
1051 | * Changed wording in the description of the two ways in which the XKS Proxy service is exposed to KMS. Previous wording suggested that exposing the service as a VPC endpoint service requires the XKS proxy to be in the customer’s Amazon VPC. This is not the case. The customer just needs an NLB in their VPC. The NLB can be configured to use private IP addresses in its target group. Those IP addresses can be in the customer’s data center as long as those IP addresses are reachable from the VPC.
1052 | * Clarified that kmsRequestId is part of the requestMetadata accompanying a GetHealthStatus request only if the request is made as part of the KMS `CreateCustomKeyStore` or `ConnectCustomKeyStore` API
1053 | * Added InvalidUriPathException (HTTP Code 404) for situations where the XKS Proxy receives a request with an invalid URI path.
1054 | * Added Appendix B with guidelines on CDIV implementation.
1055 | * Version 0.0.14 (Mar 31, 2022):
1056 | * Updated URIs everywhere to show optional portions in square brackets.
1057 | * Added a section on “Other Considerations” that talks about load balancer health checks an XKS Proxy must implement.
1058 | * Clarified that the secret access key can be any UTF-8 string with sufficient entropy and Base64 encoding a 32-byte random value is just one of the possible ways of generating a good secret access key. Also mentioned the list of characters allowed in the secret access key.
1059 | * Clarified a max character limit of 128 on the `XksProxyUriPath` and mentioned the list of allowed characters.
1060 | * Clarified that GetKeyMetadata MUST not return more than ten values for keyUsage
1061 | * Clarified that GetHealthStatus MUST not return more than ten entries for ekmFleetDetails
1062 | * Removed all mention of CDIV. For the foreseeable future, KMS will handle this internally and we can simplify the specification and make it easier to implement. When we reintroduce CDIV, we will require the XKS Proxy to include the complete AAD in the CDIV computation along with the ciphertextMetadata, IV, ciphertext and authentication tag.
1063 | * Added this text for every description of kmsOperation: “The XKS Proxy MUST NOT reject a request as invalid if it sees a kmsOperation other than those listed for this API call.” See the kmsOperation description in GetKeyMetadata for justification.
1064 | * Version 0.0.15 (Apr 06, 2022):
1065 | * Changed requestMetadata specification for GetHealthStatus to always include a requestId and kmsOperation.
1066 | * Updated Error Code list to clarify InvalidStateException can be returned for all APIs.
1067 | * Version 0.0.16 (Jun 23, 2022):
1068 | * Reintroduced CiphertextDataIntegrityValue (CDIV) and included AAD into the CDIV computation. Added Appendix C with CDIV computation guidelines.
1069 | * Added new architecture diagram showing VPC endpoint connectivity with XKS proxy in and outside the AWS data center.
1070 | * Removed optional port in URIs since KMS APIs require the proxy to run on the default HTTPS port.
1071 | * Updated text to indicate the XksProxyUriEndpoint is always specified irrespective of connectivity option.
1072 | * Mentioned 500ms KMS timeout and how the proxy may use caching of the deep health check result to meet this constraint.
1073 | * Added a description of the XKS Proxy configuration file under Other Considerations
1074 | * Added a recommendation for the XKS Proxy to support client-side TLS authentication.
1075 | * Version 0.0.17 (Jul 15, 2022):
1076 | * Remove error messages from the JSON payload in error responses from the proxy since KMS is ignoring them.
1077 | * Added a table under KMS Considerations for Error Codes indicating the specific KMS exceptions and messages returned to the KMS caller when the XKS proxy reports an error.
1078 | * Added guidance on including the length of the ciphertext metadata before including it in the AAD input for the external HSM.
1079 | * Version 0.0.18 (Aug 2, 2022):
1080 | * Added clarifying text in multiple places: separated out recommended TLS cipher suites by TLS version, replaced Base-64 and base64 references with Base64 for consistency, mentioned that XKS proxy must be able to fall back to HTTP 1.1.
1081 | * Recommended including the length of both the `additionalAuthenticatedData` and `ciphertextMetadata` when creating the AAD for the external HSM
1082 | * Reworded Appendix B to suggest KMS may expand `requestMetadata` fields in the future but each XKS proxy vendor can define their own policy language and choose which of those fields are usable in access control decisions.
1083 | * Version 0.0.19 (Aug 3, 2022):
1084 | * Fix typo in KMS Exception Message.
1085 | * Version 0.0.20 (Aug 3, 2022):
1086 | * Clarify the endianness of the 2-byte AAD length in constructing the AAD input of AES/GCM to the external HSM.
1087 | * Version 0.0.21 (Aug 16, 2022):
1088 | * Added a new section on Troubleshooting using curl under Other Considerations.
1089 | * Added a new subsection under Authentication describing how an XKS proxy should support rotation of SigV4 credentials.
1090 | * Changed 500ms KMS timeout threshold to 250ms and the ping latency between customer data center and AWS data center to be 35ms (down from 100ms).
1091 | * Version 0.0.22 (Aug 19, 2022):
1092 | * Changed how KMS reports access denied and invalid ciphertext errors from the proxy, both of these are now reported as KMSInvalidStateException.
1093 | * Added a new entry for ThrottlingException in the error codes section. This provides a mechanism for the proxy to implement back pressure on a caller when the request rate is too high. Added a corresponding entry in the table of KMS exceptions. Mentioned that an XKS proxy may implement independent request quotas on each path prefix and respond with a ThrottlingException if that quota is exceeded.
1094 | * Version 0.9.6 (Sep 12, 2022):
1095 | * The XKS proxy may include an optional errorMessage in the JSON body when reporting an API failure.
1096 | * Updated the text of error messages KMS reports to its callers for various exceptions.
1097 | * Renumbered pre-GitHub version numbers, e.g. pre-GitHub version number X was renumbered 0.0.X. The jump in version number reflects we are getting close to finalizing v1 of the XKS Proxy API specification.
1098 | * Version 0.9.7 (Oct 10, 2022):
1099 | * Allow period as a valid character in the `externalKeyId`.
1100 | * Version 0.9.8 (Oct 12, 2022):
1101 | * Changes to render the architecture diagram and tables correctly when viewing the specification markdown on GitHub.
1102 | * Fixed anchor link navigation, added a table of contents and removed extraneous asterisks in a couple of headers.
1103 | * Removed unnecessary reference to post-quantum TLS ciphersuites in S2N
1104 | * Version 0.9.9 (Oct 28, 2022):
1105 | * Changed heading capitalization to match AWS documentation norms
1106 | * Moved "Error codes" out of the "API operations" section
1107 | * Spelt out CDIV in the title of Appendix E
1108 | * Removed reference to Base64 when talking about secret access key
1109 | * Version 1.0.0 (Nov 10, 2022):
1110 | * Updated terminology (preferring external key manager over external HSM) to match our public docs. This is also reflected in the KMS error messages.
1111 | * Replaced TBD references with actual numbers for health status polling frequency and TPS quota on AWS KMS external key stores.
1112 | * Version 1.0.1 (Nov 10, 2022):
1113 | * Added a link to the list of public certificate authorities trusted by AWS KMS for authenticating an external key store proxy.
1114 | * Version 1.0.2 (Jan 17, 2023):
1115 | * Clarified that standard Base64 encoding (not URL-safe encoding) as defined in Section 4 of RFC 4687 is used in this document.
1116 | * Fixed typos: the stated length of Base64 encoded values was off by one in two places and the ciphertextMetadata length must not exceed 20 bytes before Base64 encoding.
1117 | * Clarified that xksProxyFleetSize must be an integer greater than zero
1118 | * Simplified the description of CDIV computation in Appendix C (no change to the computation itself).
1119 | * * Version 1.0.3 (May 15, 2024):
1120 | * Clarified the optional existence of awsSourceVpc and awsSourceVpce in requestMetadata.
1121 | * Removed DescribeKey from KMS operations using GetKeyMetadata.
1122 |
--------------------------------------------------------------------------------