Subject: Security Announcement: Product Advertising API to switch to SHA256 Hash Algorithm for SSL Certificates
Dear Associate,
We have an important update for you regarding Amazon Product Advertising API. Certificate Authorities (CAs) and companies such as Google and Microsoft are retiring support for SHA1 as a hashing algorithm used to sign SSL/TLS certificates (for more information, please read the
CA/Browser Forum post). Because of this, the Amazon Product Advertising API will also be retiring use of SHA1 for digital signatures in SSL/TLS certificates and will be upgrading to SHA256 by October 09, 2015. This means that customers accessing the Product Advertising API via HTTPS will need to make sure theyre using the latest certificate bundles on their client machines.
The questions below should help you ensure youre ready when we switch to SHA256:
1. What action do I need to take?
You need to verify if your applications are compatible with our new certificate. Simply run an API request to the following testing endpoints:
UK:
https://sha256.webservices.amazon.co.uk/onca/xml
If you are able to run the request successfully, your software is compatible with our new certificates.
2. I was able to get a successful response using the testing endpoint. What do I do now?
Nothing! If your application was able to get a successful response using the testing endpoint, then you will be able to access the API even after the SHA256 migration.
3. I was unable to get a response using the testing endpoint. What do I do now?
If you were unable to get a response using the testing endpoint, then you will have to ensure you are using more recent libraries of the programming/scripting language to access the API. For compatibility, the client libraries will require the following:
Java: Requires JDK 1.6.0_19 or later.
PHP: Requires OpenSSL 0.9.8o or later.
C#: No change.
You can update the certificate bundle in your browser simply by updating your browser. Instructions for the most common browsers can be found on the browsers websites: Chrome, FireFox, and Safari. Certificate bundles for Internet Explorer are managed by the Windows OS, so ensure that you update the OS as well.
If you need development support beyond the above suggestions, please post your questions to the Product Advertising API forum under Advisory:
Product Advertising API to switch to SHA256 Hash Algorithm thread. Many experienced members of the Amazon Associates program regularly participate in the forums, and often answer questions.
4. Do I need to update the endpoint for accessing Product Advertising API to the above listed endpoints?
No, the listed endpoints are only for testing purposes and would be discontinued post the migration.
5. By when do I need to make the change/ update?
You can do this change at any time on or before October 09, 2015. Any changes you make will be compatible with our existing URL(s).
