Microsoft Public Key Infrastructure on the AWS Cloud

Quick Start Reference Deployment

QS

January 2021
R. J. Davis, Jeremy Girven, and Dave May, AWS

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This guide provides instructions for deploying the Microsoft PKI Quick Start reference architecture on the AWS Cloud.

This Quick Start is for systems administrators and IT engineers who need to deploy root and subordinate certification authorities (CAs) in their Active Directory environments.

Microsoft Public Key Infrastructure on AWS

A public key infrastructure (PKI) creates, manages, distributes, stores, and revokes digital certificates. Windows environments use digital certificates to secure multiple types of connections. Connection types include lookups for Microsoft Active Directory LDAPS (Lightweight Directory Access Protocol over Secure Sockets Layer), Internet Information Services (IIS) HTTPS connections, Exchange Server communications, and Windows Server Update Services (WSUS).

With a Windows-hosted PKI in an AWS account, you can maintain your own certificates. This capability helps you reduce insecure, unsigned network traffic. To deploy a PKI environment on Windows, you install and configure Certificate Authority (CA) roles on one or more Windows servers.

This Quick Start deploys either a one-tier or a two-tier PKI infrastrucuture. With a one-tier infrastructure, a Windows EC2 instance is joined to your Active Directory domain and has the CA roles installed, becoming an Enterprise CA. With a two-tier infrastructure, a Windows EC2 instance is joined to your Active Directory domain, has the CA roles installed, and is promoted to the domain’s Root CA; a second Windows EC2 instance is then joined to the domain and becomes a Suborodinate CA, after which the Root CA is powered off. The two-tier PKI model is considered more secure than the one-tier model; since the Root CA remains offline, it can be powered on in the event of the Subordinate CA beconming compromised, and can then generate a new set of keys. The two-tier model also lends itself better to high availability since multiple Subordinate CAs can be added to the environment.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

This Quick Start deploys EC2 instances running Microsoft Windows Server. The Windows Server licenses are provided by AWS.

Architecture

Deploying this Quick Start for a new virtual private cloud (VPC) with default parameters builds the following Microsoft PKI environment in the AWS Cloud.

Architecture1
Figure 1. Quick Start architecture for Microsoft PKI on AWS

As shown in Figure 1, the Quick Start sets up the following:

  • An architecture that spans two Availability Zones.*

  • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnets:

    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*

    • A Remote Desktop Gateway (RD Gateway) instance in an Auto Scaling group to allow inbound Remote Desktop Protocol (RDP) access to EC2 instances in public and private subnets.*

  • In the private subnets:

    • In Availability Zone 1, an EC2 instance running Windows to serve as an offline root CA.

    • In Availability Zone 2, an EC2 instance running Windows to serve as a subordinate CA.

  • AWS Directory Service, which helps deploy an Active Directory Certificate Services (AD CS) environment.*

  • AWS Secrets Manager to store credentials.

  • AWS Systems Manager (formerly known as Amazon Simple Systems Manager, or SSM) to automate the CA deployment process and store the generated certificates.

  • AWS Identity and Access Management (IAM) to enable the EC2 instances and Systems Manager automation documents to perform their tasks.

* The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

The AD CS deployment process

This Quick Start deploys an AD CS environment, which includes an offline root CA and an online subordinate CA. The AWS Systems Manager automation document created by this Quick Start automates the steps in the deployment. When the process is complete, the root CA has generated a domain root certificate and is powered off, and the subordinate CA is available to sign certificate requests for the domain.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start assumes familiarity with Microsoft CA roles.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

1

Elastic IP addresses

1

Security groups

1

IAM roles

1

EC2 instances

3

Secrets Manager

2

AWS Managed Directories

1

Supported Regions

  • us-east-1 (N. Virginia)

  • us-east-2 (Ohio)

  • us-west-1 (N. California)

  • us-west-2 (Oregon)

  • ca-central-1 (Canada Central)

  • eu-central-1 (Frankfurt)

  • eu-west-1 (Ireland)

  • eu-west-2 (London)

  • eu-west-3 (Paris)

  • ap-southeast-1 (Singapore)

  • ap-southeast-2 (Sydney)

  • ap-south-1 (Mumbai)

  • ap-northeast-1 (Tokyo)

  • ap-northeast-2 (Seoul)

  • sa-east-1 (South America)

  • eu-north-1 (Stockholm)

  • ap-east-1 (Hong Kong)

  • me-south-1 (Bahrain)

  • af-south-1 (Cape Town)

  • eu-south-1 (Milan)

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

EC2 key pairs

Make sure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Quick Start. Make note of the key pair name. You need it during deployment. To create a key pair, see Amazon EC2 key pairs and Linux instances.

For testing or proof-of-concept purposes, we recommend creating a new key pair instead of using one that’s already being used by a production instance.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Deployment options

This Quick Start provides two deployment options:

  • Deploy Microsoft PKI into a new VPC. This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, Remote Desktop Gateway, and other infrastructure components. It then deploys Microsoft PKI into this new VPC.

  • Deploy Microsoft PKI into an existing VPC. This option provisions Microsoft PKI in your existing AWS infrastructure.

The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Microsoft PKI settings, as discussed later in this guide.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

If you’re deploying Microsoft PKI into an existing VPC, make sure that your VPC has two private subnets in different Availability Zones for the workload instances, and that the subnets aren’t shared. This Quick Start doesn’t support shared subnets. These subnets require NAT gateways in their route tables, to allow the instances to download packages and software without exposing them to the internet.
You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.

Each deployment takes about 30 minutes to complete.

  1. Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see Deployment options earlier in this guide.

Deploy Microsoft PKI into a new VPC on AWS

View template

Deploy Microsoft PKI into an existing VPC on AWS

View template

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for Microsoft PKI will be built. The template is launched in the us-east-1 Region by default.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  3. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  4. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  5. Choose Create stack to deploy the stack.

  6. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Microsoft PKI deployment is ready.

  7. Use the values displayed in the Outputs tab for the stack, as shown in Figure 2, to view the created resources.

cfn_outputs
Figure 2. Microsoft PKI outputs after successful deployment

Post-deployment steps

Run Windows Updates

In order to ensure the deployed servers' operating systems and installed applications have the latest Microsoft updates, run Windows Update on each server.

  1. Create an RDP session from the Remote Desktop Gateway server to each deployed server.

  2. Open the Settings application.

  3. Open Update & Security.

  4. Click Check for updates.

  5. Install any updates and reboot if necessary.

Test the deployment

  1. Connect to the RD Gateway via RDP, then connect to the subordinate CA via RDP.

  2. Navigate to http://<subordinate CA FQDN>/certsrv

  3. Issue a test certificate

Best practices for using Microsoft PKI on AWS

This Quick Start migrates pertinent folders and files—those related to the certificate services—to an Amazon Elastic Block Store (Amazon EBS) volume [D:\]. Back up the Microsoft PKI deployment, including the private key and the current certificate database.

Security

After this Quick Start deploys the root CA and generates the root certificate, the root CA is powered off. The root CA is intended to remain offline until the domain root certificate needs to be renewed.

Domain-administrator credentials are stored in AWS Secrets Manager and consumed by the subordinate CA. The subordinate CA uses these credentials to join domains, install certificate services, and add the required DNS records.

Other useful information

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to No. (This setting is under Advanced in the AWS CloudFormation console, Configure stack options page.) With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information, see AWS CloudFormation quotas.

Troubleshooting

The Systems Manager automation documents used in this deployment store the output of their PowerShell scripts in CloudWatch Logs.

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Parameters for deploying into an existing VPC

Table 1. Network Configuration
Parameter label (name) Default value Description

VPC CIDR (VPCCIDR)

10.0.0.0/16

CIDR Block for the VPC

VPC ID (VPCID)

Requires input

ID of the VPC (e.g., vpc-0343606e)

CA(s) Subnet ID (CaServerSubnet)

Requires input

ID of the CA(s) subnet (e.g., subnet-a0246dcd)

Domain Members Security Group ID (DomainMembersSG)

Requires input

Security Group ID for Domain Members Security Group.

Table 2. Amazon EC2 Configuration
Parameter label (name) Default value Description

Offline Root CA Instance Type (Only Used For Two Tier PKI) (OrCaServerInstanceType)

t3.medium

Amazon EC2 instance type for the Offline Root CA instance (Only Used For Two Tier PKI)

Offline Root CA Data Drive Size (Only Used For Two Tier PKI) (OrCaDataDriveSizeGiB)

2

Size of the Data Drive in GiB for the Offline Root CA (Only Used For Two Tier PKI)

Enterprise Root or Subordinate CA Instance Type (EntCaServerInstanceType)

t3.medium

Amazon EC2 instance type for the Enterprise Root or Subordinate CA instance

Enterprise Root or Subordinate CA Data Drive Size (EntCaDataDriveSizeGiB)

2

Size of the Data Drive in GiB for the Enterprise Root or Subordinate CA

Key Pair Name (KeyPairName)

Requires input

Name of the key pair that you will use to securely connect to your EC2 instance after it launches.

SSM Parameter Value for latest AMI ID (AMI)

/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base

CA(s) SSM Parameter Value to grab the latest AMI ID

Table 3. Microsoft Active Directory Domain Services Configuration
Parameter label (name) Default value Description

Active Directory Domain Services Type (DirectoryType)

Requires input

Type of Active Directory the CA(s) will be integrated with, AWS Managed Microsoft AD or Self Managed AD

Domain FQDN DNS Name (DomainDNSName)

Requires input

Fully qualified domain name (FQDN) of the forest root domain e.g. example.com

Domain NetBIOS Name (DomainNetBIOSName)

Requires input

NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE

IP used for DNS (Must be accessible) (DomainController1IP)

Requires input

IP of DNS server that can resolve domain (Must be accessible)

IP used for DNS (Must be accessible) (DomainController2IP)

Requires input

IP of DNS server that can resolve domain (Must be accessible)

Secret ARN Containing CA Install Credentials (AdministratorSecret)

Requires input

ARN for the CA Install Credentials Secret used to to install the CA (Must be a member of Enterpise Admins or AWS Delegated Enterprise Certificate Authority Administrators)

Table 4. Microsoft Active Directory Certificate Services Configuration
Parameter label (name) Default value Description

CA Deployment Type (CADeploymentType)

Two-Tier

Deploy Two Tier (Offline Root with Subordinate Enterprise CA) or One Tier (Enterprise Root CA) PKI Infrastructure

Offline Root CA NetBIOS Name (Only Used For Two Tier PKI) (OrCaServerNetBIOSName)

ORCA1

NetBIOS name of the Offline Root CA server (Only Used For Two Tier PKI) (up to 15 characters)

Enterprise Root or Subordinate CA NetBIOS Name (EntCaServerNetBIOSName)

ENTCA1

NetBIOS name of the Enterprise Root or Subordinate CA server (up to 15 characters)

CA Key Length (CaKeyLength)

2048

CA(s) Cryptographic Provider Key Length

CA Hash Algorithm (CaHashAlgorithm)

SHA256

CA(s) Hash Algorithm for Signing Certificates

Offline Root CA Certificate Validity Period in Years (Only Used For Two Tier PKI) (OrCaValidityPeriodUnits)

10

Validity Period in Years (Only Used For Two Tier PKI)

Enterprise Root or Subordinate CA Certificate Validity Period in Years (CaValidityPeriodUnits)

5

Validity Period in Years

Use S3 for CA CRL Location (UseS3ForCRL)

No

Store CA CRL(s) in an S3 bucket

CA CRL S3 Bucket Name (S3CRLBucketName)

examplebucket

S3 bucket name for CA CRL(s) storage. Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)

Table 5. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).

Quick Start S3 bucket Region (QSS3BucketRegion)

us-east-1

The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-microsoft-pki/

S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.