Microsoft silenty adds Amazon root certificates to its CTL

Microsoft has just pushed a new CTL update with 6 new root certificates, 4 of which are for a brand new root CA: Amazon. This conveniently occurs just in time for Amazon’s Certificate Services go-live. But what should have been a fairly ordinary update is raising a few red flags.

  1. Amazon is reported to have some <a href=>close ties</a> to <a href=>spy agencies</a>.

  2. The new roots have not been announced by Microsoft. Their <A Href=>Program Participants</A> page is oddly silent about the changes. Additionally, it’s interesting that Starfield (another root acquired by Amazon last year) does not appear in there either. Hopefully that’s just a coincidence - I will not to speculate on that.

  3. No other trust store provider (Mozilla, Google, Oracle) trusts these roots as of today.

<a href=>RCC</A> detecting the new roots:

<img src=>

By the way, if you are running any supported version of Windows, be aware that you are already effectively trusting them now, <a href=>even if you do not see them in the Windows Certificate Manager</a>.

<A href=>Follow</A> @hexatomium