Get started with Amazon Private CA Connector for Active Directory
With Amazon Private CA Connector for Active Directory, you can issue certificates from your private CA to your Active Directory objects for authentication and encryption. When you create a connector, Amazon Private Certificate Authority creates an endpoint for you in your VPC for your directory objects to request certificates.
To issue certificates, you create a connector and AD-compatible templates for the connector. When you create a template, you can set enrollment permissions for your AD groups.
Topics
Before you begin
The following tutorial guides you through the process of creating a connector for AD and a connector template. To follow this tutorial, you must first fulfill the prerequisites listed in the section.
Step 1: Create a connector
To create a connector, see Creating a connector for Active Directory.
Step 2: Configure Microsoft Active Directory policies
Connector for AD is unable to view or manage the customer's group policy object (GPO) configuration. The GPO controls the routing of AD requests to the customer's Amazon Private CA or to other authentication or certificate vending servers. An invalid GPO configuration may result in your requests being routed incorrectly. It is up to customers to configure and test the Connector for AD configuration.
Group Policies are associated with a Connector, and a you may choose to create multiple Connectors for a single AD. It is up to you to manage the access control to each connector if its group policy configurations are different.
The security of the data plane calls depends on Kerberos and your VPC configuration. Anyone with access to the VPC can make data plane calls as long as they are authenticated to the corresponding AD. This exists outside of the boundary of AWSAuth and managing authorization and authentication is up to you, the customer.
In Active Directory, follow the below steps to create a GPO that points to the URI generated when you created a connector. This step is required to use Connector for AD from the console or the command-line.
Configure GPOs.
-
Open Server Manager on the DC
-
Go to Tools and choose Group Policy Management in the upper right corner of the console.
-
Go to Forest > Domains. Select your domain name and right click on your domain. Select Create a GPO in this domain, and link it here … and enter
PCA GPO
for the name. -
The newly created GPO will now be listed under your domain name.
-
Choose PCA GPO and select Edit. If a dialog box opens with the alert message This is a link and that changes will be globally propagated, acknowledge the message to continue. The Group Policy Management Editor should open.
-
In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies (choose the folder).
-
Go to object type and choose Certificate Services Client - Certificate Enrollment Policy
-
In the options, change Configuration Model to Enabled.
-
Confirm that Active Directory Enrollment Policy is checked and Enabled. Choose Add.
-
The Certificate Enrollment Policy Server window should open.
-
Enter the certificate enrollment policy server endpoint that was generated when you created your connector in the Enter enrollment server policy URI field.
-
Leave the Authentication Type as Windows integrated.
-
Choose Validate. After validation succeeds, select Add. The dialog box closes.
-
Go back to Certificate Services Client - Certificate Enrollment Policy and check the box beside the newly created connector to ensure that the connector is the default enrollment policy
-
Choose Active Directory Enrollment Policy and select Remove.
-
In the confirmation dialag box, choose Yes to delete the LDAP-based authentication.
-
Choose Apply and OK on the Certificate Services Client > Certificate Enrollment Policy window and close it.
-
Go to the Public Key Policies folder and choose Certificate Services Client - Auto-Enrollment.
-
Change the Configuration Model option to Enabled.
-
Confirm that Renew expired certificates and Update Certificates are both checked. Leave the other settings as they are.
-
Choose Apply, then OK, and close the dialogue box.
Configure the Public Key Policies for user configuration next. Go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Follow the procedures outlined from step 6 to step 21 to configure the Public Key Policies for user configuration.
Once you've finished configuring GPOs and Public Key Policies, objects in the domain will request certificates from Amazon Private CA Connector for AD and get certificates issued by Amazon Private CA.
Step 3: Create a template
To create a template, see Create a connector template.
Step 4: Configure Microsoft group permissions
To configure Microsoft group permissions, see Manage Connector for AD template access control entries.