Prerequisites - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Before you enable client-side LDAPS, you need to meet the following requirements.

Deploy server certificates in Active Directory

In order to enable client-side LDAPS, you need to obtain and install server certificates for each domain controller in Active Directory. These certificates will be used by the LDAP service to listen for and automatically accept SSL connections from LDAP clients. You can use SSL certificates that are either issued by an in-house Active Directory Certificate Services (ADCS) deployment or purchased from a commercial issuer. For more information on Active Directory server certificate requirements, see LDAP over SSL (LDAPS) Certificate on the Microsoft website.

CA certificate requirements

A certificate authority (CA) certificate, which represents the issuer of your server certificates, is required for client-side LDAPS operation. CA certificates are matched with the server certificates that are presented by your Active Directory domain controllers to encrypt LDAP communications. Note the following CA certificate requirements:

  • To register a certificate, it must be more than 90 days away from expiration.

  • Certificates must be in Privacy-Enhanced Mail (PEM) format. If exporting CA certificates from inside Active Directory, choose base64 encoded X.509 (.CER) as the export file format.

  • A maximum of five (5) CA certificates can be stored per AD Connector directory.

  • Certificates using the RSASSA-PSS signature algorithm are not supported.

Networking requirements

Amazon application LDAP traffic will run exclusively on TCP port 636, with no fallback to LDAP port 389. However, Windows LDAP communications supporting replication, trusts, and more will continue using LDAP port 389 with Windows-native security. Configure Amazon security groups and network firewalls to allow TCP communications on port 636 in AD Connector (outbound) and self-managed Active Directory (inbound).