Set up Amazon Private CA Connector for AD for Amazon Managed Microsoft AD - Amazon Directory Service
Setting up Amazon Private CA Connector for ADViewing Amazon Private CA Connector for ADConfiguring AD PoliciesConfirming Amazon Private CA issued a certificate
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set up Amazon Private CA Connector for AD for Amazon Managed Microsoft AD

You can integrate your Amazon Managed Microsoft AD with Amazon Private Certificate Authority (CA) to issue and manage certificates for your Active Directory domain joined users, groups, and machines. Amazon Private CA Connector for Active Directory allows you to use a fully managed Amazon Private CA drop-in replacement for your self-managed enterprise CAs without the need to deploy, patch, or update local agents or proxy servers.

Note

Server-side LDAPS certificate enrollment for Amazon Managed Microsoft AD domain controllers with Amazon Private CA Connector for Active Directory is not supported at this time. To enable server-side LDAPS for your directory, see How to enable server-side LDAPS for your Amazon Managed Microsoft AD directory.

You can set up Amazon Private CA integration with your directory through the Amazon Directory Service console, the Amazon Private CA Connector for Active Directory console, or by calling the CreateTemplate API. To set up the Private CA integration through the Amazon Private CA Connector for Active Directory console, see Creating a connector template. See the following steps on how to set up this integration from the Amazon Directory Service console.

Setting up Amazon Private CA Connector for AD

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. On the Directories page, choose your directory ID.

  3. Under the Network & Security tab, under Amazon Private CA Connector for AD, choose Set up Amazon Private CA Connector for AD. The page Create Private CA certificate for Active Directory appears. Follow the steps on the console to create your Private CA for Active Directory connector to enroll with your Private CA. For more information, see Creating a connector.

  4. After you create your connector, the following steps walks you through how to view details the Amazon Private CA Connector for AD including the connector’s status and the associated Private CA’s status.

Next, you'll configure the group policy object for your Amazon Managed Microsoft AD so Amazon Private CA Connector for AD can issue certificates.

Viewing Amazon Private CA Connector for AD

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. On the Directories page, choose your directory ID.

  3. Under Network & Security, under Amazon Private CA Connector for AD, you can view your Private CA connectors and associated Private CA. By default, you see the following fields:

    1. Amazon Private CA Connector ID — The unique identifier for an Amazon Private CA connector. Clicking on it leads to the details page of that Amazon Private CA connector.

    2. Amazon Private CA subject — Information about the distinguished name for the CA. Clicking on it leads to the details page of that Amazon Private CA.

    3. Status — Based on a status check for the Amazon Private CA Connector and the Amazon Private CA. If both checks pass, Active displays. If one of the checks fails, 1/2 checks failed displays. If both checks fail, Failed displays. For more information about a failed status, hover over the hyperlink to learn which check failed. Follow the instructions in the console to remediate.

    4. Date created — The day the Amazon Private CA Connector was created.

For more information, see View connector details.

Configuring AD Policies

CA Connector for AD needs to be configured so Amazon Managed Microsoft AD objects can request and receive certificates. In this procedure, you'll configure your group policy object (GPO) so Amazon Private CA can issue certificates to Amazon Managed Microsoft AD objects.

  1. Connect to the Amazon Managed Microsoft AD admin instance and open the Server Manager from the Start menu.

  2. Under Tools, select Group Policy Management.

  3. Under Forest and Domains, find your subdomain organizational unit (OU) (for example, corp would be your subdomain organizational unit if you followed the procedures outlined in Creating your Amazon Managed Microsoft AD) and right click on your subdomain OU. Select Create a GPO in this domain, and link it here... and enter PCA GPO for the name. Select OK.

  4. The newly created GPO will appear following your subdomain name. Right click on PCA GPO and select Edit. If a dialog box opens with an alert message stating , acknowledge the message by selecting OK to continue. The Group Policy Management Editor window should open.

  5. In the Group Policy Management Editor window, go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies (choose the folder).

  6. Under Object Type, choose Certificate Services Client - Certificate Enrollment Policy.

  7. In the Certificate Services Client - Certificate Enrollment Policy window, change Configuration Model to Enabled.

  8. Confirm that Active Directory Enrollment Policy is checked and Enabled. Choose Add.

  9. The Certificate Enrollment Policy Server dialog box should open. Enter the certificate enrollment policy server endpoint that was generated when you created your connector in the Enter enrollment server policy URI field. Leave the Authentication Type as Windows integrated.

  10. Choose Validate. After validation succeeds, select Add.

  11. Return to Certificate Services Client - Certificate Enrollment Policy dialog box and check the box beside the newly created connector to ensure that the connector is the default enrollment policy.

  12. Choose Active Directory Enrollment Policy and select Remove.

  13. In the confirmation dialog box, choose Yes to delete the LDAP-based authentication.

  14. Choose Apply and then OK in the Certificate Services Client - Certificate Enrollment Policy window. Then close the window.

  15. Under Object Type for the Public Key Policies folder, choose Certificate Services Client - Auto-Enrollment.

  16. Change the Configuration Model option to Enabled.

  17. Confirm that Renew expired certificates and Update Certificates options are both checked. Leave the other settings as they are.

  18. Choose Apply, then OK, and close the dialog box.

Next, you will configure the Public Key Policies for user configuration.

  • Go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Follow the previous procedures from step 6 to step 21 to configure the Public Key Policies for user configuration.

Once you've finished configuring GPOs and Public Key Policies, objects in the domain will request certificates from Amazon Private CA Connector for AD and get certificates issued by Amazon Private CA.

Confirming Amazon Private CA issued a certificate

The process to update Amazon Private CA to issue certificates for your Amazon Managed Microsoft AD can take up to 8 hours.

You can do one of the following:

  • You can wait this period of time.

  • You can restart the Amazon Managed Microsoft AD domain joined machines that were configured to receive certificates from the Amazon Private CA. Then you can confirm the Amazon Private CA has issued certificates to members of your Amazon Managed Microsoft AD domain by following the procedure in Microsoft documentation.

  • You can use the following Windows PowerShell command to update the certificates for your Amazon Managed Microsoft AD:

    certutil -pulse