Amazon gets a new cert with a different provider and revokes the old one. Those people are pretty talented operationally. This should not be a difficult thing to do.
Given the catastrophic nature of being without a cert and the relative low cost of those, it's not hard to believe that they maintain a backup certificate, ready to switch in at a moments notice.
IMHO it's getting a little out of hand how much concern is being given to the gov.nl private PKI system and the few hundred other certs Diginotar issued where the website admins have to swap a file or two.
The big deal is the security of the whole freaking internet resting on top of this tiny little web app and server in .nl and the unknown number of actual users in .ir getting MitMd and likely horribly persecuted.
