Set up Amazon Private CA Connector for AD for Amazon Managed Microsoft AD - Amazon Directory Service
Setting up Amazon Private CA Connector for ADViewing Amazon Private CA Connector for ADConfiguring AD PoliciesConfirming Amazon Private CA issued a certificate
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set up Amazon Private CA Connector for AD for Amazon Managed Microsoft AD

You can integrate your Amazon Managed Microsoft AD with Amazon Private Certificate Authority (CA) to issue and manage certificates for your Active Directory domain controllers, domain joined users, groups, and machines. Amazon Private CA Connector for Active Directory allows you to use a fully managed Amazon Private CA drop-in replacement for your self-managed enterprise CAs without the need to deploy, patch, or update local agents or proxy servers.

You can set up Amazon Private CA integration with your directory through the Amazon Directory Service console, the Amazon Private CA Connector for Active Directory console, or by calling the CreateTemplate API. To set up the Private CA integration through the Amazon Private CA Connector for Active Directory console, see Creating a connector template. See the following steps on how to set up this integration from the Amazon Directory Service console.

Setting up Amazon Private CA Connector for AD

To create a Private CA connector for Active Directory

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. On the Directories page, choose your directory ID.

  3. Under the Application Management tab and Amazon apps & services section, choose Amazon Private CA Connector for AD.

  4. On the Create Private CA certificate for Active Directory page, complete the steps to create your Private CA for Active Directory connector.

For more information, see Creating a connector.

Viewing Amazon Private CA Connector for AD

To view Private CA connector details

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. On the Directories page, choose your directory ID.

  3. Under the Application Management tab and Amazon apps & services section, view your Private CA connectors and associated Private CA. The following fields display:

    1. Amazon Private CA Connector ID – The unique identifier for a Amazon Private CA connector. Choose it to view the details page.

    2. Amazon Private CA subject – Information regarding the distinguished name for the CA. Choose it to view the details page.

    3. Status – Status check results for the Amazon Private CA Connector and Amazon Private CA:

      • Active – Both checks pass

      • 1/2 checks failed – One check fails

      • Failed – Both checks fail

      For failed status details, hover over the hyperlink to see which check failed.

    4. DC Certificates Enrollment status – Status check for domain controller certificate status:

      • Enabled – Certificate enrollment is enabled

      • Disabled – Certificate enrollment is disabled

    5. Date created – When the Amazon Private CA Connector was created.

For more information, see View connector details.

The following table shows the different statuses for domain controller certificate enrollment for Amazon Managed Microsoft AD with Amazon Private CA.

DC enrollment status Description Action required

Enabled

Domain controller certificates are successfully enrolled to your directory.

No action required.

Failed

Domain controller certificate enrollment enablement or disablement failed for your directory.

If your enablement action fails, retry by turning off domain controller certificates and then turning on again. If your disablement action fails, retry by turning on domain controller certificates and then turning off again. If retry fails, contact Amazon Support.

Impaired

Domain controllers have network connectivity issues communicating with Amazon Private CA endpoints.

Check Amazon Private CA VPC endpoint and S3 bucket policies to allow network connectivity with your directory. For more information, see Troubleshoot Amazon Private Certificate Authority exception messages and Troubleshoot Amazon Private CA certificate revocation issues.

Disabled

Domain controller certificate enrollment is successfully turned off for your directory.

No action required.

Disabling

Domain controller certificate enrollment disablement is in progress.

No action required.

Enabling

Domain controller certificate enrollment enablement is in progress.

No action required.

Configuring AD Policies

Amazon Private CA Connector for AD must be configured so Amazon Managed Microsoft AD domain controllers and objects can request and receive certificates. Configure your group policy object (GPO) so Amazon Private CA can issue certificates to Amazon Managed Microsoft AD objects.

Configuring Active Directory policies for domain controllers

Turn on Active Directory policies for domain controllers

  1. Open the Network & Security tab.

  2. Choose Amazon Private CA Connectors.

  3. Choose a connector linked to the Amazon Private CA subject that issues domain controller certificates to your directory.

  4. Choose Actions, Enable domain controller certificates.

Important

Configure a valid domain controller template before you turn on domain controller certificates to avoid delayed updates.

After you turn on domain controller certificate enrollment, your directory's domain controllers request and receive certificates from Amazon Private CA Connector for AD.

To change your issuing Amazon Private CA for domain controller certificates, first connect the new Amazon Private CA to your directory using a new Amazon Private CA Connector for AD. Before you turn on certificate enrollment on the new Amazon Private CA, turn off certificate enrollment on the existing one:

Turn off domain controller certificates

  1. Open the Network & Security tab.

  2. Choose Amazon Private CA Connectors.

  3. Choose a connector linked to the Amazon Private CA subject that issues domain controller certificates to your directory.

  4. Choose Actions, Disable domain controller certificates.

Configuring Active Directory policies for domain joined users, computers and machines

Configure group policy objects

  1. Connect to the Amazon Managed Microsoft AD admin instance and open Server Manager from the Start menu.

  2. Under Tools, choose Group Policy Management.

  3. Under Forest and Domains, find your subdomain organizational unit (OU) (for example, corp is your subdomain organizational unit if you followed the procedures outlined in Creating your Amazon Managed Microsoft AD) and right-click on your subdomain OU. Choose Create a GPO in this domain, and link it here and enter PCA GPO for the name. Choose OK.

  4. The newly created GPO appears following your subdomain name. Right-click on PCA GPO and choose Edit. If a dialog box opens with an alert message stating This is a link and that changes are globally propagated, acknowledge the message by choosing OK to continue. The Group Policy Management Editor window opens.

  5. In the Group Policy Management Editor window, go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies (choose the folder).

  6. Under Object Type, choose Certificate Services Client - Certificate Enrollment Policy.

  7. In the Certificate Services Client - Certificate Enrollment Policy window, change Configuration Model to Enabled.

  8. Confirm that Active Directory Enrollment Policy is selected and Enabled. Choose Add.

  9. The Certificate Enrollment Policy Server dialog box opens. Enter the certificate enrollment policy server endpoint that you generated when you created your connector in the Enter enrollment server policy URI field. Leave the Authentication Type as Windows integrated.

  10. Choose Validate. After validation succeeds, choose Add.

  11. Return to Certificate Services Client - Certificate Enrollment Policy dialog box and select the box beside the newly created connector to make sure that the connector is the default enrollment policy.

  12. Choose Active Directory Enrollment Policy and choose Remove.

  13. In the confirmation dialog box, choose Yes to delete the LDAP-based authentication.

  14. Choose Apply and then OK in the Certificate Services Client - Certificate Enrollment Policy window. Then close the window.

  15. Under Object Type for the Public Key Policies folder, choose Certificate Services Client - Auto-Enrollment.

  16. Change the Configuration Model option to Enabled.

  17. Confirm that Renew expired certificates and Update Certificates options are both selected. Leave the other settings as they are.

  18. Choose Apply, then OK, and close the dialog box.

Next, configure the Public Key Policies for user configuration by repeating steps 6-17 in the User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies section.

After you finish configuring GPOs and Public Key Policies, objects in the domain request certificates from Amazon Private CA Connector for AD and receive certificates issued by Amazon Private CA.

Confirming Amazon Private CA issued a certificate

The process to update Amazon Private CA to issue certificates for your Amazon Managed Microsoft AD can take up to 8 hours.

You can do one of the following:

  • You can wait this period of time.

  • You can restart the Amazon Managed Microsoft AD domain joined machines that were configured to receive certificates from the Amazon Private CA. Then you can confirm the Amazon Private CA has issued certificates to members of your Amazon Managed Microsoft AD domain by following the procedure in Microsoft documentation.

  • You can use the following PowerShell command to update the certificates for your Amazon Managed Microsoft AD:

    certutil -pulse