Amazon Product Advertising API Developer's Manual page 74

Product Advertising API Developer Guide
X.509 Certificates
When using SOAP with WS-Security, you must use an X.509 certificate for authentication (as opposed
to your AWS Secret Access Key). An X.509 certificate is a security token designed to carry a public key
and bind that key to an identity. X.509 certificates are used in a public key infrastructure (PKI), which is
a framework for allowing trusted third parties to vouch for a party's identity. PKIs are commonly used in
situations that require authentication. For more information about PKIs and X.509 certificates, go to the
techencyclopedia.com entries for
Note
Product Advertising API does not implement a full public key infrastructure. The certificate
information is used only to authenticate requests to Product Advertising API. Product Advertising
API uses X.509 certificates only as carriers for public keys and does not trust or use in any way
any identity binding that might be included in an X.509 certificate.
The WS-Security 1.0 specification requires you to sign the SOAP message with the private key associated
with the X.509 certificate and include the X.509 certificate in the SOAP message header. Specifically,
you must represent the X.509 certificate as a BinarySecurityToken as described in the WS-Security
X.509 token profile (also available if you go to
You can use your own X.509 certificate or one generated by AWS. Following are the procedures for
uploading your own certificate to AWS and obtaining an AWS-generated certificate. To obtain an X.509
certificate generated by an external certificate authority, follow the instructions provided by that CA.
Using Your Own Certificate
If you have an X.509 certificate you want to use, you can upload the certificate to AWS (without the private
key value). Uploading the certificate automatically associates it with your AWS account.
AWS accepts any syntactically and cryptographically valid X.509 certificate. Certificates can be self-signed
or signed by any key. The certificate must be in Privacy Enhanced Mail (PEM) format and include a
base64 encoded Distinguished Encoding Rules (DER) certificate body.
Important
When you upload the certificate, AWS checks the certificate's contents to confirm that the certificate
has not expired. AWS doesn't check certificate revocation lists (CRLs) to determine if the certificate
has been revoked, nor does AWS validate the certificate with a certificate authority (CA) or any
trusted third parties.
To upload your own X.509 certificate
1. Go to the Amazon Web Services web site at http://aws.amazon.com.
2. Point to Your Web Services Account to display a list of options.
3. Click View Access Key Identifiers and log in to your AWS account.
The AWS Access Key Identifiers page is displayed.
4. Scroll down to the X.509 Certificate area of the page and click Upload.
5. Follow the instructions on the subsequent pages to upload your certificate.
Using a Certificate Generated by AWS
If you don't already have an X.509 certificate, or if you want a new certificate to use with AWS, you can
have AWS generate one and automatically associate it with your AWS account. Certificates generated
by AWS are signed by an AWS internal certificate authority.
Request Authentication
digital certificate and PKI.
the OASIS-Open web
API Version 2011-08-01
67
site).