Microsoft Public Key Infrastructure on AWS

Partner Solution Deployment Guide

August 2023
R. J. Davis, Jeremy Girven, and Dave May, AWS

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This guide covers the information you need to deploy the Microsoft Public Key Infrastructure Partner Solution in the AWS Cloud.

A public key infrastructure (PKI) creates, manages, distributes, stores, and revokes digital certificates. Windows environments use digital certificates to secure multiple types of connections. Connection types include lookups for Microsoft Active Directory LDAPS (Lightweight Directory Access Protocol over Secure Sockets Layer), Internet Information Services (IIS) HTTPS connections, Exchange Server communications, and Windows Server Update Services (WSUS).

With a Windows-hosted PKI in an AWS account, you can maintain your own certificates. This capability helps you reduce insecure, unsigned network traffic. To deploy a PKI environment on Windows, you install and configure Certificate Authority (CA) roles on one or more Windows servers.

This Partner Solution deploys either a one-tier or a two-tier PKI infrastrucuture. With a one-tier infrastructure, a Windows EC2 instance is joined to your Active Directory domain and has the CA roles installed, becoming an Enterprise CA. With a two-tier infrastructure, a Windows EC2 instance is joined to your Active Directory domain, has the CA roles installed, and is promoted to the domain’s Root CA; a second Windows EC2 instance is then joined to the domain and becomes a Suborodinate CA, after which the Root CA is powered off. The two-tier PKI model is considered more secure than the one-tier model; since the Root CA remains offline, it can be powered on in the event of the Subordinate CA beconming compromised, and can then generate a new set of keys. The two-tier model also lends itself better to high availability since multiple Subordinate CAs can be added to the environment.

Costs and licenses

There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

Architecture

Deploying this Partner Solution for a new virtual private cloud (VPC) with default parameters builds the following Microsoft PKI environment in the AWS Cloud.

Figure 1. Partner Solution architecture for Microsoft PKI on AWS

As shown in Figure 1, the Partner Solution sets up the following:

An architecture that spans two Availability Zones.*
A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
In the public subnets:
- Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
- A Remote Desktop Gateway (RD Gateway) instance in an Auto Scaling group to allow inbound Remote Desktop Protocol (RDP) access to EC2 instances in public and private subnets.*
In the private subnets:
- In Availability Zone 1, an EC2 instance running Windows to serve as an offline root CA.
- In Availability Zone 2, an EC2 instance running Windows to serve as a subordinate CA.
AWS Directory Service, which helps deploy an Active Directory Certificate Services (AD CS) environment.*
AWS Secrets Manager to store credentials.
AWS Systems Manager (formerly known as Amazon Simple Systems Manager, or SSM) to automate the CA deployment process and store the generated certificates.
AWS Identity and Access Management (IAM) to enable the EC2 instances and Systems Manager automation documents to perform their tasks.

* The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

The AD CS deployment process

This Partner Solution deploys an AD CS environment, which includes an offline root CA and an online subordinate CA. The AWS Systems Manager automation document created by this Partner Solution automates the steps in the deployment. When the process is complete, the root CA has generated a domain root certificate and is powered off, and the subordinate CA is available to sign certificate requests for the domain.

Deployment options

This Partner Solution provides the following deployment options:

Deploy Microsoft PKI into a new VPC. This option builds a new AWS environment that consists of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Microsoft PKI into this new VPC.
Deploy Microsoft PKI into an existing VPC. This option provisions Microsoft PKI in your existing AWS infrastructure.

This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Microsoft PKI settings.

Deployment steps

Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.
Choose the correct AWS Region, and then choose Next.
On the Create stack page, keep the default setting for the template URL, and then choose Next.

On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.
On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.
Choose Create stack. The stack takes about 30 minutes to deploy.
Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Microsoft Public Key Infrastructure deployment is ready.
To view the created resources, choose the Outputs tab.

Figure 2. CloudFormation outputs

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

The Systems Manager automation documents used in this deployment store the output of their PowerShell scripts in CloudWatch Logs. See Troubleshooting Systems Manager Run Command for details.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.