AWS Security Blog
How to implement a hybrid PKI solution on AWS
As customers migrate workloads into Amazon Web Services (AWS) they may be running a combination of on-premises and cloud infrastructure. When certificates are issued to this infrastructure, having a common root of trust to the certificate hierarchy allows for consistency and interoperability of the Public Key Infrastructure (PKI) solution.
In this blog post, I am going to show how you can plan and deploy a PKI that enables certificates to be issued across a hybrid (cloud & on-premises) environment with a common root. This solution will use Windows Server Certificate Authority (Windows CA), also known as Active Directory Certificate Services (ADCS) to distribute and manage x.509 certificates for Active Directory users, domain controllers, routers, workstations, web servers, mobile and other devices. And an AWS Certificate Manager Private Certificate Authority (ACM PCA) to manage certificates for AWS services, including API Gateway, CloudFront, Elastic Load Balancers, and other workloads.
The Windows CA also integrates with AWS Cloud HSM to securely store the private keys that sign the certificates issued by your CAs, and use the HSM to perform the cryptographic signing operations. In Figure 1, the diagram below shows how ACM PCA and Windows CA can be used together to issue certificates across a hybrid environment.
PKI is a framework that enables a safe and trustworthy digital environment through the use of a public and private key encryption mechanism. PKI maintains secure electronic transactions on the internet and in private networks. It also governs the verification, issuance, revocation, and validation of individual systems in a network.
There are two types of PKI:
- PKI, which issues public certificates that are used on the internet.
- Private PKI, which issues private certificates for an internal network.
This blog post focuses on the implementation of a private PKI, to issue and manage private certificates.
When implementing a PKI, there can be challenges from security, infrastructure, and operations standpoints, especially when dealing with workloads across multiple platforms. These challenges include managing isolated PKIs for individual networks across on-premises and AWS cloud, managing PKI with no Hardware Security Module (HSM) or on-premises HSM, and lack of automation to rapidly scale the PKI servers to meet demand.
Figure 2 shows how an internal PKI can be limited to a single network. In the following example, the root CA, issuing CAs, and certificate revocation list (CRL) distribution point are all in the same network, and issue cryptographic certificates only to users and devices in the same private network.
Planning for your PKI system deployment
It’s important to carefully consider your business requirements, encryption use cases, corporate network architecture, and the capabilities of your internal teams. You must also plan for how to manage the confidentiality, integrity, and availability of the cryptographic keys. These considerations should guide the design and implementation of your new PKI system.
In the below section, we outline the key services and components used to design and implement this hybrid PKI solution.
Key services and components for this hybrid PKI solution
- AWS Certificate Manager (ACM) lets you issue and manage both public and private PKI certificates for AWS services that are integrated with ACM, such as, Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon API Gateway. ACM automatically manages the annual renewal of the certificates for these workloads. ACM private certificates can also be exported and used with other resources, including webservers, devices, and others. ACM doesn’t automatically manage the renewals of exported private certificates.
- AWS CloudHSM offers a cloud-based hardware security module (HSM) to process cryptographic operations and provide secure storage for encryption keys. CloudHSM integrates with third-party systems, such as Windows Server CA, and automatically sends its audit logs to Amazon CloudWatch Logs.
- Windows Active Directory Certificate Services (Windows AD CS) runs on Windows servers and provides customizable services for issuing and managing digital certificates used in systems that employ public key technologies.
- Amazon Simple Storage Service (Amazon S3) is an object storage service. In this solution, you use it as the PKI CRL distribution point (CDP) to store the CRL and authority information access (AIA).
- Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud, where you can launch AWS resources in a virtual network that you create and manage. Your Windows CA servers for this solution are hosted in Amazon VPC.
- Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute instances in the cloud. Amazon EC2 instances are used to install and run your Windows AD CS, which provides the CA.
- AWS Key Management Service (AWS KMS) enables you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. It’s used to encrypt your EC2 volumes or Amazon Elastic Block Storage (Amazon EBS).
- Network Load Balancer distributes incoming traffic across multiple targets, such as Amazon EC2 instances. A Network Load Balancer is used to increase the availability of your PKI solution by distributing network traffic among your Windows PKI instances across multiple Availability Zones (AZs).
- AWS Resource Access Manager (AWS RAM) is a service that enables you to securely share AWS resources with other AWS accounts or within your organization. In this solution, it’s used to share your ACM private CA, AWS Transit Gateways, and Amazon Route 53 Resolver.
Solution overview
This hybrid PKI can be used if you need a new private PKI, or want to upgrade from an existing legacy PKI with a cryptographic service provider (CSP) to a secure PKI with Windows Cryptography Next Generation (CNG). The hybrid PKI design allows you to seamlessly manage cryptographic keys throughout the IT infrastructure of your organization, from on-premises to multiple AWS networks.
The solution architecture is depicted in the preceding figure—Figure 3. The solution uses an offline root CA that can be operated on-premises or in an Amazon VPC, while the subordinate Windows CAs run on EC2 instances and are integrated with CloudHSM for key management and storage. To insulate the PKI from external access, the CloudHSM cluster are deployed in protected subnets, the EC2 instances are deployed in private subnets, and the host VPC has site-to-site network connectivity to the on-premises network. The Amazon EC2 volumes are encrypted with AWS KMS customer managed keys. Users and devices connect and enroll to the PKI interface through a Network Load Balancer.
This solution also includes a subordinate ACM private CA to issue certificates that will be installed on AWS services that are integrated with ACM. For example, ELB, CloudFront, and API Gateway. This is so that the certificates users see are always presented from your organization’s internal PKI.
Prerequisites for deploying this hybrid internal PKI in AWS
- Experience with AWS Cloud, Windows Server, and AD CS is necessary to deploy and configure this solution.
- An AWS account to deploy the cloud resources.
- An offline root CA, running on Windows 2016 or newer, to sign the CloudHSM and the issuing CAs, including the private CA and Windows CAs. Here is an AWS Quick-Start article to deploy your Root CA in a VPC. We recommend installing the Windows Root CA in its own AWS account.
- A VPC with at least four subnets. Two or more public subnets and two or more private subnets, across two or more AZs, with secure firewall rules, such as HTTPS to communicate with your PKI web servers through a load balancer, along with DNS, RDP and other port to communicate within your organization network. You can use this CloudFormation sample VPC template to help you get started with your PKI VPC provisioning.
- Site-to-site AWS Direct Connect or VPN connection from your VPC to the on-premises network and other VPCs to securely manage multiple networks.
- Windows 2016 EC2 instances for the subordinate CAs.
- An Active Directory environment that has access to the VPC that hosts the PKI servers. This is required for a Windows Enterprise CA implementation.
Deploy the solution
The below CloudFormation Code and instructions will help you deploy and configure all the AWS components shown in the above architecture diagram. To implement the solution, you’ll deploy a series of CloudFormation templates through the AWS Management Console.
If you’re not familiar with CloudFormation, you can learn about it from Getting started with AWS CloudFormation. The templates for this solution can be deployed with the CloudFormation console, AWS Service Catalog, or a code pipeline.
Download and review the template bundle
To make it easier to deploy the components of this internal PKI solution, you download and deploy a template bundle. The bundle includes a set of CloudFormation templates, and a PowerShell script to complete the integration between CloudHSM and the Windows CA servers.
- There are additional costs for resources deployed by this solution. The resources include: CloudHSM, ACM PCA, ELB, EC2s, S3, and KMS.
- The solution also deploys some AWS Identity and Access Management (IAM) roles and policies.
To download the template bundle
- Download or clone the solution source code repository from AWS GitHub.
- Review the descriptions in each template for more instructions.
Deploy the CloudFormation templates
Now that you have the templates downloaded, use the CouldFormation console to deploy them.
To deploy the VPC modification template
Deploy this template into an existing VPC to create the protected subnets to deploy a CloudHSM cluster.
- Navigate to the CloudFormation console.
- Select the appropriate AWS Region, and then choose Create Stack.
- Choose Upload a template file.
- Select 01_PKI_Automated-VPC_Modifications.yaml as the CloudFormation stack file, and then choose Next.
- On the Specify stack details page, enter a stack name and the parameters. Some parameters have a dropdown list that you can use to select existing values.
- Choose Next, Next, and Create Stack.
To deploy the PKI CDP S3 bucket template
This template creates an S3 bucket for the CRL and AIA distribution point, with initial bucket policies that allow access from the PKI VPC, and PKI users and devices from your on-premises network, based on your input. To grant access to additional AWS accounts, VPCs, and on-premises networks, please refer to the instructions in the template.
- Navigate to the CloudFormation console.
- Choose Upload a template file.
- Select 02_PKI_Automated-Central-PKI_CDP-S3bucket.yaml as the CloudFormation stack file, and then choose Next.
- On the Specify stack details page, enter a stack name and the parameters.
- Choose Next, Next, and Create Stack
To deploy the ACM Private CA subordinate template
This step provisions the ACM private CA, which is signed by an existing Windows root CA. Provisioning your private CA with CloudFormation makes it possible to sign the CA with a Windows root CA.
- Navigate to the CloudFormation console.
- Choose Upload a template file.
- Select 03_PKI_Automated-ACMPrivateCA-Provisioning.yaml as the CloudFormation stack file, and then choose Next.
- On the Specify stack details page, enter a stack name and the parameters. Some parameters have a dropdown list that you can use to select existing values.
- Choose Next, Next, and Create Stack.
Assign and configure certificates
After deploying the preceding templates, use the console to assign certificate renewal permissions to ACM and configure your certificates.
To assign renewal permissions
- In the ACM Private CA console, choose Private CAs.
- Select your private CA from the list.
- Choose the Permissions tab.
- Select Authorize ACM to use this CA for renewals.
- Choose Save.
To sign private CA certificates with an external CA (console)
- In the ACM Private CA console, select your private CA from the list.
- From the Actions menu, choose Import CA certificate. The ACM Private CA console returns the certificate signing request (CSR).
- Choose Export CSR to a file and save it locally.
- Choose Next.
- Use your existing Windows root CA.
- Copy the CSR to the root CA and sign it.
- Export the signed CSR in base64 format.
- Export the <RootCA>.crt certificate in base64 format.
- On the Upload the certificates page, upload the signed CSR and the RootCA certificates.
- Choose Confirm and Import to import the private CA certificate.
To request a private certificate using the ACM console
Note: Make a note of IDs of the certificate you configure in this section to use when you deploy the HTTPS listener CloudFormation templates.
- Sign in to the console and open the ACM console.
- Choose Request a certificate.
- On the Request a certificate page, choose Request a private certificate and Request a certificate to continue.
- On the Select a certificate authority (CA) page, choose Select a CA to view the list of available private CAs.
- Choose Next.
- On the Add domain names page, enter your domain name. You can use a fully qualified domain name, such as www.example.com, or a bare—also called apex—domain name such as example.com. You can also use an asterisk (*) as a wild card in the leftmost position to include all subdomains in the same root domain. For example, you can use *.example.com to include all subdomains of the root domain example.com.
- To add another domain name, choose Add another name to this certificate and enter the name in the text box.
- (Optional) On the Add tags page, tag your certificate.
- When you finish adding tags, choose Review and request.
- If the Review and request page contains the correct information about your request, choose Confirm and request.
Note: You can learn more at Requesting a Private Certificate.
To share the private CA with other accounts or with your organization
You can use ACM Private CA to share a single private CA with multiple AWS accounts. To share your private CA with multiple accounts, follow the instructions in How to use AWS RAM to share your ACM Private CA cross-account.
Continue deploying the CloudFormation templates
With the certificates assigned and configured, you can complete the deployment of the CloudFormation templates for this solution.
To deploy the Network Load Balancer template
In this step, you provision a Network Load Balancer.
- Navigate to the CloudFormation console.
- Choose Upload a template file.
- Select 05_PKI_Automated-LoadBalancer-Provisioning.yaml as the CloudFormation stack file, and then choose Next.
- On the Specify stack details page, enter a stack name and the parameters. Some parameters are filled in automatically or have a dropdown list that you can use to select existing values.
- Choose Next, Next, and Create Stack.
To deploy the HTTPS listener configuration template
The following steps create the HTTPS listener with an initial configuration for the load balancer.
- Navigate to the CloudFormation console:
- Choose Upload a template file.
- Select 06_PKI_Automated-HTTPS-Listener.yaml as the CloudFormation stack file, and then choose Next.
- On the Specify stack details page, enter the stack name and the parameters. Some parameters are filled in automatically or have a dropdown list that you can use to select existing values.
- Choose Next, Next, and Create Stack.
To deploy the AWS KMS CMK template
In this step, you create an AWS KMS CMK to encrypt EC2 EBS volumes and other resources. This is required for the EC2 instances in this solution.
- Open the CloudFormation console.
- Choose Upload a template file.
- Select 04_PKI_Automated-KMS_CMK-Creation.yaml as the CloudFormation stack file, and then choose Next.
- On the Specify stack details page, enter a stack name and the parameters.
- Choose Next, Next, and Create Stack.
To deploy the Windows EC2 instances provisioning template
This template provisions a purpose-built Windows EC2 instance within an existing VPC. It will provision an EC2 instance for the Windows CA, with KMS to encrypt the EBS volume, an IAM instance profile and automatically installs SSM agent on your instance.
It also has optional features and flexibilities. For example, the template can automatically create new target group, or add instance to existing target group. It can also configure listener rules, create Route 53 records and automatically join an Active Directory domain.
Note: The AWS KMS CMK and the IAM role are required to provision the EC2, while the target group, listener rules, and domain join features are optional.
- Navigate to the CloudFormation console.
- Choose Upload a template file.
- Select 07_PKI_Automated-EC2-Servers-Provisioning.yaml as the CloudFormation stack file, and then choose Next.
- On the Specify stack details page, enter the stack name and the parameters. Some parameters are filled in automatically or have a dropdown list that you can use to select existing values.
Note: The Optional properties section at the end of the parameters list isn’t required if you’re not joining the EC2 instance to an Active Directory domain.
- Choose Next, Next, and Create Stack.
Create and initialize a CloudHSM cluster
In this section, you create and configure CloudHSM within the VPC subnets provisioned in previous steps. After the CloudHSM cluster is completed and signed by the Windows root CA, it will be integrated with the EC2 Windows servers provisioned in previous sections.
To create a CloudHSM cluster
- Log in to the AWS account, open the console, and navigate to the CloudHSM.
- Choose Create cluster.
- In the Cluster configuration section:
- Select the VPC you created.
- Select the three private subnets you created across the Availability Zones in previous steps.
- Choose Next: Review.
- Review your cluster configuration, and then choose Create cluster.
To create an HSM
- Open the console and go to the CloudHSM cluster you created in the preceding step.
- Choose Initialize.
- Select an AZ for the HSM that you’re creating, and then choose Create.
To download and sign a CSR
Before you can initialize the cluster, you must download and sign a CSR generated by the first HSM of the cluster.
- Open the CloudHSM console.
- Choose Initialize next to the cluster that you created previously.
- When the CSR is ready, select Cluster CSR to download it.
To initialize the cluster
- Open the CloudHSM console.
- Choose Initialize next to the cluster that you created previously.
- On the Download certificate signing request page, choose Next. If Next is not available, choose one of the CSR or certificate links, and then choose Next.
- On the Sign certificate signing request (CSR) page, choose Next.
- Use your existing Windows root CA.
- Copy the CSR to the root CA and sign it.
- Export the signed CSR in base64 format.
- Also export the <RootCA>.crt certificate in base64 format.
- On the Upload the certificates page, upload the signed CSR and the root CA certificates.
- Choose Upload and initialize.
Integrate CloudHSM cluster to Windows Server AD CS
In this section you use a script that provides step-by-step instructions to help you successfully integrate your Windows Server CA with AWS CloudHSM.
To integrate CloudHSM cluster to Windows Server AD CS
Open the script 09_PKI_AWS_CloudHSM-Windows_CA-Integration-Playbook.txt and follow the instructions to complete the CloudHSM integration with the Windows servers.
Install and configure Windows CA with CloudHSM
When the CloudHSM integration is complete, install and configure your Windows Server CA with the CloudHSM key storage provider and select RSA#Cavium Key Storage Provider as your cryptographic provider.
Conclusion
By deploying the hybrid solution in this post, you’ve implemented a PKI to manage security across all workloads in your AWS accounts and in your on-premises network.
With this solution, you can use a private CA to issue Transport Layer Security (TLS) certificates to your Application Load Balancers, Network Load Balancers, CloudFront, and other AWS workloads across multiple accounts and VPCs. The Windows CA lets you enhance your internal security by binding your internal users, digital devices, and applications to appropriate private keys. You can use this solution with TLS, Internet Protocol Security (IPsec), digital signatures, VPNs, wireless network authentication, and more.
Additional resources
- Monitor CloudHSM Audit Logs
- Creating and Managing a Private CA
- Best Practices for AWS CloudHSM
- Windows Certification Authority Guidance
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Certificate Manager forum or CloudHSM forum or contact AWS Support.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.