Microsoft Workloads on AWS

How to simplify certificate provisioning in Active Directory with AWS Private Certificate Authority

In this blog post, we will explore a new feature for AWS Private Certificate Authority (AWS Private CA), Connector for Active Directory, that can help you more easily provision certificates for users and machines within your Microsoft Active Directory (AD) environment with just a few clicks. AWS Private CA can accelerate your provisioning and reduce the need for hardware security module (HSM) management and other time-consuming operational tasks.

Today, many AD administrators provision users and machines with certificate-based authentication with Active Directory Certificate Services. However, doing so requires admins to build their own certificate authority (CA) infrastructure with HSMs. They also manage key ceremonies, key generation, crypto users, FIPS requirements, and other elements of the process.

AWS Private CA aims to simplify that whole process for you. It’s a highly available, fully managed private CA service that you can use to create CA hierarchies and issue private X.509 certificates. AWS Private Certificate Authority issues more than 1.5 million private certificates per day on average, including internal AWS certificates.

With the highly available and fully managed service, you can use these private certificates to establish endpoints for TLS encryption, cryptographically sign code, authenticate users, and more. You can now use a Connector for AD to issue certificates to domain-joined devices in your AD environment.

Note that this newly launched feature is distinct from Active Directory Connector, which is a directory gateway you can use to redirect directory requests to your on-premises Microsoft AD without caching any information in the cloud.

You can create a Connector for AD with a few clicks in the AWS Management Console, allowing you to seamlessly integrate AWS Private CA in AD and issue certificates from AWS Private CA, using the same auto-enrollment and group policy-based methods you use today.

Background

Active Directory is widely used by customers to centralize authentication and management of network resources in a Windows-based environment, both on-premise and in AWS. AD uses certificates to enable security features such as authentication, securing communications channels, and allowing for Lightweight Directory Access Protocol (LDAP) over SSL (LDAPS).

In some cases, AD admins have had to build and maintain a self-managed public key infrastructure (PKI) to facilitate certificate requests from domain-joined devices. Doing so requires creating a Microsoft Windows Server CA, either on-premise or on Amazon Elastic Compute Cloud (Amazon EC2), and configuring Active Directory Certificate Services (AD CS). You may also need a HSM to securely store the CA private keys, which requires expensive hardware and significant expertise to manage appropriately.

Customers with self-managed PKI or external CA providers face several other challenges, including:

  • Operational overhead: Managing complex PKI infrastructure needs specialized expertise and continuous maintenance, such as server patch management, securing private keys and monitoring.
  • Hardware and software cost: Managing highly available and scalable HSM used to implement PKI adds additional costs and complexity.
  • Compliance overhead: Depending on the nature of the organization, you may need to meet regulatory standards, leading to additional cost to build controls to meet and prove compliance.
  • Revocation and renewal costs: Managing the certificate lifecycle requires resources to manage revocation and renewal of certificates.

Overview of AWS Private CA Connector for AD

You can use AWS Private CA to create a Connector for Active Directory, configure the certificate templates required for your specific use cases, and automatically issue certificates using the AD auto-enrollment mechanisms you already use with AD CS. You can use Connector for AD to integrate with your on-premises AD environment using the Active Directory Connector, or with AWS Managed AD.

You no longer need to configure and manage a Windows CA or HSMs to protect your CA private keys, as the CA private keys in AWS Private CA are stored in FIPS 140-2 Level 3 validated HSMs. This allows admins to focus on other tasks than management of CAs and HSMs. More importantly, your admins will not need to change the way they issue certificates to end user devices, which reduces the effort needed to migrate away from your existing on-premise PKI.

The Connector for AD exposes an endpoint to integrate with AWS Managed Microsoft AD or your self-managed AD. The Connector for AD acts as a broker for certificate requests between AD and AWS Private CA, enabling the auto-enrollment of certificates for users and systems managed by AD.

The Connector for AD can be used to issue certificates to domain-joined devices for both on-premise AD environments (using the Active Directory Connector provided by AWS Directory Services) and AD environments hosted in AWS Managed Microsoft AD.

AWS Private CA and the Connector for AD provide several benefits:

  • Reduce operational overhead: AWS Private CA provides scalable and highly available CAs to issue private certificates for any workload, without requiring you to manage any hardware, local agents, or proxy servers.
  • Offload compliance requirements: CA private keys in AWS Private CA are stored in FIPS 140-2 Level 3 validated HSMs. AWS manages the hardware for you, allowing you to focus on other tasks. Additional compliance details can be found in the AWS Private CA documentation.
  •  Get started quickly, and automate more easily: You can use a simple wizard in the AWS Management console to create CAs and configure a Connector to integrate with either on-premise AD or AWS Managed AD, all in a few clicks. You can also use the AWS Private CA APIs/CLI for automation.
  • Simplify certificate revocation and renewals: AWS Private CA provides managed revocation through Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRL).

Using AWS Private CA and the Connector for AD can help you decrease PKI costs, offload hardware management and compliance requirements to AWS, and reduce the time your administrators spend on trivial management tasks that could be better used for delivering value to your business.

Figure 1 displays the difference between an on-premises ADCS implementation without AWS Private CA, and an implementation using AWS Private CA with the Connector for AD.

Figure 1:  Connector for AD simplifies PKI management.

Table 1 contains an outline of the request flow for each architecture. You will notice the workflows are very similar, meaning you will not need to change your existing processes; but with AWS Private CA, all the heavy lifting of managing CAs and revocation infrastructure is offloaded to AWS.

 

On-premises AD certificate requests Connector for AD certificate requests

1. System joins Active Directory (AD) domain.

2. System sends certificate signing request (CSR) to PKI.

3. PKI validates the requesting system with AD and issues certificate.

4. PKI updates the self-managed revocation system with any revoked certificate

1. System joins Active Directory (AD) domain.

2. System sends certificate signing request (CSR) to Connector for AD.

3. Connector for AD validates the request and then issues the certificate.

Note: You can setup revocation as OCSP, CRL or both in AWS Private CA during CA setup.

Table 1: Comparison of the request flow for the two implementations.

Certificate hierarchies in AWS Private CA

AWS Private CA enables you to create and manage CA hierarchies. You can read further on CA hierarchies and important design considerations here.

A well-designed CA hierarchy gives you more flexibility around the security controls, supported certificate templates, and revocation configurations for different branches in the hierarchy. It also helps provide better division of administrative tasks for different branches.

If you’re looking to extend your on-premises PKI into AWS using AWS Private CA, recall that you can sign CAs created in AWS Private CA with an external Root CA. This enables you to issue certificates from AWS Private CA that are already trusted by your organization, as they will be part of the same chain of trust as your on-prem PKI.

You scale the utilization of CAs with Connector for AD by sharing them across multiple AWS accounts using Resource Access Manager (RAM). RAM enables sharing of CAs with least privilege access.

Getting Started

To get started with the Connector for AD and issuing certificates with AWS Private CA:

Prerequisites:

  1. Identify the Active Directory environment you want to issue the certificates using AWS Private CA.
  2. Create AWS Directory Services AD Connector to integrate with your AD.
    1. Refer to these instructions that outline the prerequisites to configure the AD Connector. To use the Connector for AD, you will need to provide write permissions to the service account you use to enable the AD Connector, as well as the other permissions listed in the documentation.
  3. Identify or create an AWS Private CA certificate authority you will use to issue certificates to AD.
  4. Identify or create the Security Group for the Connector for AD VPC endpoint to communicate with your AD.

With these prerequisites in place, you can use the AWS Management Console to create a Connector for AD and issue certificates (Figure 2).

  1.  Go to the AWS Private CA management console. On the right navigation, select Connector for Active Directory.
  2. In the Active Directory section:
    1.  Select the Active Directory type as AWS Managed Microsoft AD or on premises Active directory with AWS AD Connector.
    2. Choose the right directory from the Select your directory drop-down.
    3. Select the security group for the VPC endpoint that will be used to interact with the AD.
  3. In the Private certificate authority section, choose the correct subordinate CA to issue certificates for AD.
  4. Add tags (optional) as necessary to meet your organization needs.
  5. Choose Create Connector

Figure 2:  Connector for AD Management Console

Now we’ve created a Connector for AD that will enable you to issue certificates for domain-joined devices from AWS Private CA. You will also need to configure the appropriate certificate templates for use in your organization, based on your specific use case(s). You can find step-by-step instructions to configure certificate templates for use with the Connector for AD.
To configure auto-enrollment and begin automatically issuing certificates, refer to the relevant Microsoft documentation.

Conclusion

In this blog we introduced the new AWS Private CA feature, Connector for AD, and discussed how it can help you simplify PKI management, reducing both operational intricacies and costs. AWS Private CA and the Connector for AD can help you reduce operational overhead costs, offload compliance requirements, get started provisioning quickly, automate tasks, and simplify the process of revoking and renewing certificates. We also discussed the types of AD implementations supported by the Connector for AD, and provided some considerations around design patterns for the CA hierarchy you create in AWS Private CA when using this connector.

To learn more about services mentioned in the blog, refer to the Connector for AD, AWS Private CA , CA best practices and AWS Directory Services documentation. You can get started creating CAs in AWS Private CA using the AWS Management Console.

AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads.

Contact us to start your migration and modernization journey today.

TAGS: , ,
Pravin Nair

Pravin Nair

Pravin is a Sr. Security Solution Architect in Data Protection and Privacy. He supports customers build secure solutions scalable solutions and support their business needs. He has a background in encryption at-rest and in-transit, Infrastructure security and Privacy.

Zachary Miller

Zachary Miller

Zach Miller is a Senior Security Specialist Solutions Architect at AWS. His background is in data protection and security architecture, focused on a variety of security domains including cryptography, secrets management, and data classification. Today, he is focused on helping enterprise AWS customers adopt and operationalize AWS security services to increase security effectiveness and reduce risk.