TLS/SSL certificates and Amazon requirements

MD5 with RSA restriction

Amazon checks the bottom of the certificate chain (usually a domain like example.com) and doesn't establish a TLS/SSL connection with a site using a Certificate Signature Algorithm that uses MD5 with RSA Encryption.

Examining your site's encryption algorithm

To examine your site's encryption algorithm, do this:

In Firefox

  1. Go to your site using the https:// secure protocol.
  2. Click the site icon to the left of the domain name to open an information dialog box about the host.
  3. Click the More Information button to open the Page Info dialog box.
  4. Click the Security icon, and then click the View Certificate button to open the Certificate Viewer dialog box.
  5. Click the Details tab, and then scroll down under the Certificate Fields list box and click Certificate Signature Algorithm to show the Field Value. The Field Value box shows the certificate algorithm that is used.
  6. If the Field Value is MD5 With RSA Encryption, the certificate isn't valid for use with Amazon Pay transactions.

In Internet Explorer

  1. Go to your site using the https:// secure protocol.
  2. Click the security icon (a lock) to the right of the domain name to open the Website Identification window.
  3. Click View Certificates to open the Certificate dialog box.
  4. Click the Details tab to see the Signature algorithm that is used.
  5. If the Signature algorithm value is md5RSA, the certificate isn't valid for use with Amazon Pay transactions.

In Safari

  1. Go to your site using the https:// secure protocol.
  2. Click the security icon (a lock) to the left of the domain name to open a digital certificate window.
  3. Click Show Certificate to see additional information.
  4. Click the arrow to the left of Details and scroll down to see the Signature algorithm that is used.
  5. If the Signature algorithm value is md5RSA, the certificate isn't valid for use with Amazon Pay transactions.

Common TLS/SSL errors

Missing intermediate certificate

A missing intermediate certificate can occur when the certificate is installed correctly, but the server doesn't store the intermediate certificate. When this happens, the chain of trust can't be established. To prevent this problem, ensure that all of the certificates in the chain are stored locally.

Certificate name mismatch

This error occurs when the name on the installed certificate is different from the website address (that is, the installed certificate belongs to a different website). To resolve this error, you need to purchase a new certificate for the website.

Purchasing a certificate

You can purchase certificates over the internet from any number of hosting companies.

TLS/SSL certificates are issued and maintained by a network of Certificate Authorities (CAs), which are usually well-known companies from the IT sector that adhere to strict security standards.

The two types of certificates are standard and extended. The standard version meets the requirements for Amazon Pay, is less expensive than an extended type, and is issued within minutes of purchase.

Certificate prices vary. Note that many certificates come with a 30-day free trial, and you can revoke them at no cost if you aren't happy.

Amazon-approved TLS/SSL certificates

Amazon Pay currently accepts TLS/SSL certificates with root certificates from any of the Certificate Authorities (CAs) listed on the Certificate Authorities (CA) Recognized by Amazon SNS for HTTPS Endpoints page.

Note: Requests made using TLS 1.0 are blocked to ensure secure communication. We recommend using TLS 1.2 but at a minimum you must use TLS 1.1 or higher for any requests made to Amazon Pay.

See also

Introduction to TLS/SSL