reference deployment

Microsoft Public Key Infrastructure on AWS

Reduce insecure, unsigned network traffic

View deployment guide

A public key infrastructure (PKI) creates, manages, distributes, stores, and revokes digital certificates. Windows environments use digital certificates to secure multiple types of connections. Connection types include lookups for Microsoft Active Directory LDAPS (Lightweight Directory Access Protocol over Secure Sockets Layer), Internet Information Services (IIS) HTTPS connections, Exchange Server communications, and Windows Server Update Services (WSUS).

With a Windows-hosted PKI in an Amazon Web Services (AWS) account, you can maintain your own certificates. This capability helps you reduce insecure, unsigned network traffic. To deploy a PKI environment on Windows, you install and configure certification authority (CA) roles on one or more Windows servers.

This Microsoft PKI solution deploys both a root CA and a subordinate CA. The root CA acts as the primary certification authority for an Active Directory forest. The certificates generated by the root CA sign the server and application certificates issued by the subordinate CA. The solution automatically generates an initial root certificate and then powers off the root CA's Amazon Elastic Compute Cloud (Amazon EC2) instance. This instance stays offline except when a new root certificate needs to be generated, thereby helping to ensure the root certificate's integrity.

This solution was developed by AWS.

  •  What you'll build

  • This solution sets up the following:

    • An architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • A Remote Desktop Gateway (RD Gateway) instance in an Auto Scaling group to allow inbound Remote Desktop Protocol (RDP) access to EC2 instances in public and private subnets.*
    • In the private subnets:
      • In Availability Zone 1, an EC2 instance running Windows to serve as an offline root CA.
      • In Availability Zone 2, an EC2 instance running Windows to serve as a subordinate CA.
    • AWS Directory Service, which helps deploy an Active Directory Certificate Services (AD CS) environment.*
    • AWS Secrets Manager to store credentials.
    • AWS Systems Manager to automate the CA deployment process and store the generated certificates.
    • AWS Identity and Access Management (IAM) to enable the EC2 instances and Systems Manager automation documents to perform their tasks.

    * The template that deploys the solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy

  • To deploy Microsoft PKI, follow the instructions in the deployment guide. The deployment process takes about 30 minutes and includes these steps:

    1. If you don't already have an AWS account, sign up at https://aws.amazon.com, and sign in to your account.
    2. Launch the solution. You can choose from two options:
    3. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

    View deployment guide for details
  •  Costs and licenses

  • You are responsible for the cost of the AWS services used while running this solution reference deployment. There is no additional cost for using this solution.

    The AWS CloudFormation templates for this solution include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    This solution deploys EC2 instances running Microsoft Windows Server. The Windows Server licenses are provided by AWS.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?