Set up AWS Private CA Connector for AD for AWS Managed Microsoft AD - AWS Directory Service
Setting up AWS Private CA Connector for ADViewing AWS Private CA Connector for ADConfiguring AD PoliciesConfirming AWS Private CA issued a certificate

Set up AWS Private CA Connector for AD for AWS Managed Microsoft AD

You can integrate your AWS Managed Microsoft AD with AWS Private Certificate Authority (CA) to issue and manage certificates for your Active Directory domain joined users, groups, and machines. AWS Private CA Connector for Active Directory allows you to use a fully managed AWS Private CA drop-in replacement for your self-managed enterprise CAs without the need to deploy, patch, or update local agents or proxy servers.

Note

Server-side LDAPS certificate enrollment for AWS Managed Microsoft AD domain controllers with AWS Private CA Connector for Active Directory is not supported at this time. To enable server-side LDAPS for your directory, see How to enable server-side LDAPS for your AWS Managed Microsoft AD directory.

You can set up AWS Private CA integration with your directory through the AWS Directory Service console, the AWS Private CA Connector for Active Directory console, or by calling the CreateTemplate API. To set up the Private CA integration through the AWS Private CA Connector for Active Directory console, see Creating a connector template. See the following steps on how to set up this integration from the AWS Directory Service console.

Setting up AWS Private CA Connector for AD

  1. Sign in to the AWS Management Console and open the AWS Directory Service console at https://console.aws.amazon.com/directoryservicev2/.

  2. On the Directories page, choose your directory ID.

  3. Under the Network & Security tab, under AWS Private CA Connector for AD, choose Set up AWS Private CA Connector for AD. The page Create Private CA certificate for Active Directory appears. Follow the steps on the console to create your Private CA for Active Directory connector to enroll with your Private CA. For more information, see Creating a connector.

  4. After you create your connector, the following steps walks you through how to view details the AWS Private CA Connector for AD including the connector’s status and the associated Private CA’s status.

Next, you'll configure the group policy object for your AWS Managed Microsoft AD so AWS Private CA Connector for AD can issue certificates.

Viewing AWS Private CA Connector for AD

  1. Sign in to the AWS Management Console and open the AWS Directory Service console at https://console.aws.amazon.com/directoryservicev2/.

  2. On the Directories page, choose your directory ID.

  3. Under Network & Security, under AWS Private CA Connector for AD, you can view your Private CA connectors and associated Private CA. By default, you see the following fields:

    1. AWS Private CA Connector ID — The unique identifier for an AWS Private CA connector. Clicking on it leads to the details page of that AWS Private CA connector.

    2. AWS Private CA subject — Information about the distinguished name for the CA. Clicking on it leads to the details page of that AWS Private CA.

    3. Status — Based on a status check for the AWS Private CA Connector and the AWS Private CA. If both checks pass, Active displays. If one of the checks fails, 1/2 checks failed displays. If both checks fail, Failed displays. For more information about a failed status, hover over the hyperlink to learn which check failed. Follow the instructions in the console to remediate.

    4. Date created — The day the AWS Private CA Connector was created.

For more information, see View connector details.

Configuring AD Policies

CA Connector for AD needs to be configured so AWS Managed Microsoft AD objects can request and receive certificates. In this procedure, you'll configure your group policy object (GPO) so AWS Private CA can issue certificates to AWS Managed Microsoft AD objects.

  1. Connect to the AWS Managed Microsoft AD admin instance and open the Server Manager from the Start menu.

  2. Under Tools, select Group Policy Management.

  3. Under Forest and Domains, find your subdomain organizational unit (OU) (for example, corp would be your subdomain organizational unit if you followed the procedures outlined in Creating your AWS Managed Microsoft AD) and right click on your subdomain OU. Select Create a GPO in this domain, and link it here... and enter PCA GPO for the name. Select OK.

  4. The newly created GPO will appear following your subdomain name. Right click on PCA GPO and select Edit. If a dialog box opens with an alert message stating , acknowledge the message by selecting OK to continue. The Group Policy Management Editor window should open.

  5. In the Group Policy Management Editor window, go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies (choose the folder).

  6. Under Object Type, choose Certificate Services Client - Certificate Enrollment Policy.

  7. In the Certificate Services Client - Certificate Enrollment Policy window, change Configuration Model to Enabled.

  8. Confirm that Active Directory Enrollment Policy is checked and Enabled. Choose Add.

  9. The Certificate Enrollment Policy Server dialog box should open. Enter the certificate enrollment policy server endpoint that was generated when you created your connector in the Enter enrollment server policy URI field. Leave the Authentication Type as Windows integrated.

  10. Choose Validate. After validation succeeds, select Add.

  11. Return to Certificate Services Client - Certificate Enrollment Policy dialog box and check the box beside the newly created connector to ensure that the connector is the default enrollment policy.

  12. Choose Active Directory Enrollment Policy and select Remove.

  13. In the confirmation dialog box, choose Yes to delete the LDAP-based authentication.

  14. Choose Apply and then OK in the Certificate Services Client - Certificate Enrollment Policy window. Then close the window.

  15. Under Object Type for the Public Key Policies folder, choose Certificate Services Client - Auto-Enrollment.

  16. Change the Configuration Model option to Enabled.

  17. Confirm that Renew expired certificates and Update Certificates options are both checked. Leave the other settings as they are.

  18. Choose Apply, then OK, and close the dialog box.

Next, you will configure the Public Key Policies for user configuration.

  • Go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Follow the previous procedures from step 6 to step 21 to configure the Public Key Policies for user configuration.

Once you've finished configuring GPOs and Public Key Policies, objects in the domain will request certificates from AWS Private CA Connector for AD and get certificates issued by AWS Private CA.

Confirming AWS Private CA issued a certificate

The process to update AWS Private CA to issue certificates for your AWS Managed Microsoft AD can take up to 8 hours.

You can do one of the following:

  • You can wait this period of time.

  • You can restart the AWS Managed Microsoft AD domain joined machines that were configured to receive certificates from the AWS Private CA. Then you can confirm the AWS Private CA has issued certificates to members of your AWS Managed Microsoft AD domain by following the procedure in Microsoft documentation.

  • You can use the following Windows PowerShell command to update the certificates for your AWS Managed Microsoft AD:

    certutil -pulse