Add GlobalSign Root R6 to cacert.pem

[mruncles]

Describe the feature

Can we add new GlobalSign Root R6 certificate (https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates) to cacert.pem file as it is used by default in aws-cli shipped by amazon? Yes we can override this behavior by env variables, but it's an extra step that can be avoided for publicly acknowleged root certificate.

Use Case

Some custom third-party s3 providers already use new GlobalSign certificates, but we have some inconsistencies with aws-cli v1 and v2, as v1 uses updated certifi with updated certificate list, but v2 still depends on outdated cacert.pem.

Proposed Solution

add GlobalSign Root R6 certificate to cacert.pem

Other Information

No response

Acknowledgements

• [ ] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

SDK version used

ALL

Environment details (OS name and version, etc.)

aws-cli/2.15.59 Python/3.11.8 Linux/6.8.0-31-generic exe/x86_64.ubuntu.24

[tim-finnigan]

Thanks for the feature request. Upon discussing with the team, the recommendation here is to install certifi to get access to newer certs. That should be used by default if it is installed. Further investigation by the team is required involving changes to cacert.pem, but this feature request is not planned.

[github-actions[bot]]

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.