Amazon SSL Certificate Trust - Windows Instructions

Problem

Windows users may encounter the error UNABLE_TO_GET_ISSUER_CERT_LOCALLY when attempting to sync presentations in the Mobile Locker Windows app. This occurs because the Windows system doesn't have Amazon Root CA certificates in its certificate store.

Root Cause

Mobile Locker connects to app.mobilelocker.com, which utilizes an AWS Elastic Load Balancer (ELB) with TLS termination using Amazon Root CA certificates. If these certificates aren't installed on the Windows system, the app cannot validate the full certificate chain.

Solution Instructions

Quick Download: Click the link below to download the certificate file directly:

Download AmazonRootCA1.cer

Option 1: Update Windows (Easiest - User-Level)

  1. Run Windows Update:
    1. Click Start > Settings > Update & Security
    2. Click Check for updates
    3. Install all available updates (this includes CA certificate updates)
    4. Restart the computer if/when prompted.
  2. Verify the fix:
    1. Open the Mobile Locker app
    2. Try to sync presentations (it should work without certificate errors)

Option 2: Manually Import Amazon Root CA (User-Level)

If Windows Update doesn't resolve it:

  1. Download the Amazon Root CA certificates:
    1. Use the download link at the top of this article, or download directly from Amazon's repository
  2. Install the certificate:
    1. Right-click the downloaded AmazonRootCA1.cer  file.
    2. Select Install Certificate
    3. Choose Local Machine (requires admin privileges)
    4. Click Next
    5. Select Place all certificates in the following store
    6. Click Browse > Select > Trusted Root Certification Authorities > Click OK
    7. Click Next > Finish
    8. You should see that the import was successful.
  3. Restart the application
    1. Close and reopen Mobile Locker.
    2. Try to sync presentations.

Option 3: IT Department / Group Policy (Enterprise)

For IT departments managing multiple computers:

Via Group Policy (Windows Domain)

  1. Download AmazonRootCA1.cer  from https://www.amazontrust.com/repository/AmazonRootCA1.cer
  2. Open Group Policy Editor: gpedit.msc
  3. Navigate to: Computer Configuration > Windows Settings > Security Settings > Public Key Policies
  4. Right-click Trusted Root Certification Authorities > Import
  5. Browse to AmazonRootCA1.cer > Next > Finish
  6. Deploy via Group Policy to all computers in the domain.

Via Certificate Manager

  1. Open Command Prompt (as Administrator)
  2. Type certmgr.msc   
  3. Navigate to Trusted Root Certification Authorities > Certificates
  4. Right-click All Tasks > Import.
  5. Select AmazonRootCA1.cer   
  6. Complete the import wizard.

Via PowerShell (Bulk Deployment)

Option A: Using a pre-downloaded certificate file:

# Import to Trusted Root Store
Import-Certificate -FilePath "C:\path\to\AmazonRootCA1.cer" -CertStoreLocation "Cert:\LocalMachine\Root"

Option B: Download and import in one command:

# Download the certificate directly from Amazon and import
Invoke-WebRequest -Uri "https://www.amazontrust.com/repository/AmazonRootCA1.cer" -OutFile "AmazonRootCA1.cer" | `
  Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"

Via Windows Update (Recommended for IT)

  • Push Windows Update through WSUS or Microsoft Endpoint Manager
  • This is the cleanest solution as it automatically includes all necessary CA certificates

Verification Steps

Verify certificate is trusted:

After applying any of the above:

Verify certificate is trusted:

Open PowerShell (as Administrator) and run:

certutil -verify "C:\path\to\AmazonRootCA1.cer"

Should show: "Certificate verified against CTL"

Test connectivity:

Open Command Prompt and run:

curl -v https://app.mobilelocker.com/api/status

Should complete without SSL errors (may show 404 or other HTTP status, but not certificate errors)

Test in Mobile Locker:

  • Restart the app
  • User should now be able to sync presentations

If Still Not Working

Check Windows firewall/antivirus:

  • Some corporate security software intercepts HTTPS connections
  • Ensure app.mobilelocker.com  is whitelisted in security software

Check proxy settings:

  • Some corporate networks use proxies that need certificate configuration

  • Your IT department can configure via Group Policy:

    Computer Configuration > Administrative Templates > System > Internet Communication Management

Contact support with:

  • Error message: UNABLE_TO_GET_ISSUER_CERT_LOCALLY
  • Server: app.mobilelocker.com
  • Issue: AWS ELB issuing certificates with Amazon Root CA 1

Recommended Approach

  • For IT departments: Deploy via Windows Update or Group Policy. This solves it for all users and is the most maintainable solution.
  • For individual users: Run Windows Update to get the latest CA certificates.

Technical Details

Amazon Root CA 1 Certificate

  • Subject: CN=Amazon Root CA 1, O=Amazon, C=US
  • Issuer: CN=Amazon Root CA 1, O=Amazon, C=US (self-signed)
  • Public Key: RSA 2048-bit
  • Valid: May 26, 2015 - January 17, 2038
  • Signature Algorithm: SHA-256 with RSA Encryption
  • Serial Number: 06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
  • Key Usage: Digital Signature, Certificate Sign, CRL Sign
  • Purpose: Root certificate for AWS infrastructure

MobileLocker Server Certificate Chain

  • Leaf: CN=mobilelocker.com (AWS ELB)
  • Intermediate: CN=Amazon RSA 2048 M01, O=Amazon, C=US
  • Root: CN=Amazon Root CA 1, O=Amazon, C=US
  • Server URL: https://app.mobilelocker.com
  • Current Leaf Valid Through: November 20, 2026
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles