2022 Update: Amplitude is renewing its certificate

  • 28 January 2022
  • 20 replies
  • 7884 views

Userlevel 6
Badge +9

On February 12th, 2022 at 9AM PT, we will be renewing a certificate used for api.amplitude.com and analytics.amplitude.com domains. We are only updating our end-entity certificate without any changes to our intermediate or root certificates. For the vast majority of situations, we do not expect any impact with sending data to Amplitude or using Amplitude Analytics.

 

How do I know if I’m impacted?

To understand if you are impacted, please reach out to your team responsible for your Amplitude implementation (e.g. IT, Engineering, team who handles the Amplitude SDK) and send them the information present in this post.


Have your team review the following information and if you answer yes to either of the two points below, then you are impacted.

  • Your systems trusts only the current Amplitude end-entity certificate that is expiring on February 13th, 2022
  • Your systems pin the entire certificate chain

The above scenarios are very uncommon and most users will not require action from this change.


Additionally, you are not impacted and no action is required if you answer yes to any of the following:

  • Amplitude SDKs are used to send data to Amplitude
  • An integration is used to send data to Amplitude
  • SSL Pinning is not used at all

What should I do if I am impacted?

  • Please respond to this community post and a Support team member will reach out to provide you our new end-entity certificate before we replace it

  • If you do not take the necessary steps, you may be unable to log into Amplitude Analytics if your SSO implementation relies on our old end-entity certificate or send data to api.amplitude.com if you pin the entire certificate chain

---

Once again, the team that handles the implementation of Amplitude should be sent the following information and they will be able to provide you with an overview of whether you are impacted or not. 

If you have any questions, please submit any questions within this Amplitude Community post and our Support team will be able to provide guidance.

 

Thank you.


20 replies

Userlevel 2
Badge

What should I do if I am impacted?

  • Please respond to this community post and a Support team member will reach out to provide you our new end-entity certificate before we replace it

Reaching out to ensure I maintain Amplitude access for my org.  Thanks 😃.

Userlevel 4
Badge +3

@Dr.Data I’ve created a ticket on your behalf!

Userlevel 2
Badge

@Dr.Data I’ve created a ticket on your behalf!

Awesome, thanks!

Badge

 

  • If you do not take the necessary steps, you may be unable to log into Amplitude Analytics if your SSO implementation relies on our old end-entity certificate or send data to api.amplitude.com if you pin the entire certificate chain

 

For SSO login, I don’t see any <ds:X509Data> fields in the SAML metadata we have at https://amplitude.com/saml/2/metadata/{id}, can I take that to mean as we shouldn’t need to adjust any of our SSO settings for the new certificate?

Userlevel 4
Badge +3

 

  • If you do not take the necessary steps, you may be unable to log into Amplitude Analytics if your SSO implementation relies on our old end-entity certificate or send data to api.amplitude.com if you pin the entire certificate chain

 

For SSO login, I don’t see any <ds:X509Data> fields in the SAML metadata we have at https://amplitude.com/saml/2/metadata/{id}, can I take that to mean as we shouldn’t need to adjust any of our SSO settings for the new certificate?

 

@davidharris - That is correct, if the Amplitude metadata XML for your org does not contain a certificate, you should not need to adjust any of your settings for the new certificate. 

Badge

Hi,

We have an iOS, Android, and possibly a backend using Amplitude for a clients application. I am looking into this for the client and I work on the Android version. Is this about signing into the Amplitude console? The Android app is using the SDK with ApiKey I'm pretty sure. Are we going to be ok with this change? The apps use SSO with Google, Facebook, and Apple. Is this not about SSO in the app?

 

Thank you

Badge

Update: in Android we are using the regular AmplitudeClient and not the pinned version. So does that mean we are good on the Android side?

Badge

 

What should I do if I am impacted?

  • Please respond to this community post and a Support team member will reach out to provide you our new end-entity certificate before we replace it

It seems we have SSL Pinning turned on in our cocoapod file so need to get this fixed. 

 

Userlevel 4
Badge +3

Hi,

We have an iOS, Android, and possibly a backend using Amplitude for a clients application. I am looking into this for the client and I work on the Android version. Is this about signing into the Amplitude console? The Android app is using the SDK with ApiKey I'm pretty sure. Are we going to be ok with this change? The apps use SSO with Google, Facebook, and Apple. Is this not about SSO in the app?

 

Thank you

 

 

@JohnRowan - thanks for your question. Our engineering team confirmed that SDKs are not impacted. The SSO implementations should automatically trust Amplitude’s new certificate but please let us know if you are seeing differently. 

 

Update: in Android we are using the regular AmplitudeClient and not the pinned version. So does that mean we are good on the Android side?

 

That is correct.

Userlevel 4
Badge +3

 

What should I do if I am impacted?

  • Please respond to this community post and a Support team member will reach out to provide you our new end-entity certificate before we replace it

It seems we have SSL Pinning turned on in our cocoapod file so need to get this fixed. 

 

@macdevnet I’ve created a Support ticket on your behalf.

Badge

Would projects using the JS sdk be affected? I see no mentions on the docs about SSL pinning.

Badge

What should I do if I am impacted?

  • Please respond to this community post and a Support team member will reach out to provide you our new end-entity certificate before we replace it

Reaching out to ensure I maintain Amplitude access for my org.  Thanks.

Userlevel 4
Badge +3

@ruxandra JS SDK is not impacted as mentioned in the post:

 

Additionally, you are not impacted and no action is required if you answer yes to any of the following:

  • Amplitude SDKs are used to send data to Amplitude and SSL Pinning is not enabled
  • An integration is used to send data to Amplitude
  • SSL Pinning is not used at all
Userlevel 4
Badge +3

@muso I’ve created a ticket on your behalf.

Badge

@muso I’ve created a ticket on your behalf.

What would be the next steps?

Userlevel 4
Badge +3

@muso Our Support team will provide you with the new certificate via email. You’ll need to give the certificate to the team who handles your Amplitude implementation (ex: Engineering, IT, etc) and have them upload the new certificate.

Badge

Hello, We at data services team at care.com are currently setup to receive events on S3 bucket from Amplitude. Will this renewing of certificate affect the data push on S3? Please advice, Thanks! 

Userlevel 4
Badge +3

Hello, We at data services team at care.com are currently setup to receive events on S3 bucket from Amplitude. Will this renewing of certificate affect the data push on S3? Please advice, Thanks! 

@get.gshah - our Engineering team confirmed since this does not fall into the bucket of an impacted setup as outlined in the post you are good to go.

Badge

Hello,

we didn’t get impacted in sending data to API or receiving data. But our User Look-up is empty. It’s like it got reset. It happened after February 13th. How can we view historical data in User Look-up

Userlevel 6
Badge +9

Thanks for posting here @Plutarch87 :grinning: I ran a search, available at the top of the page near your profile photo, and stumbled upon these posts. Let me know if these help or if you’re able to find an answer. 

 

Reply