In this blog, we will explore how to use the ACM PCA Connector for AD as your self-managed AD PKI solution to enable server side LDAPS, discuss the architecture, and provide a step-by-step guide to set it up.

Introduction

Managing a robust and secure Public Key Infrastructure (PKI) is crucial for enterprises running Microsoft Active Directory (AD). AWS offers AWS Certificate Manager Private Certificate Authority (ACM PCA) Connector for AD, which allows organizations to integrate ACM PCA into their AD environment. This provides a scalable, cost-effective, and managed solution for issuing certificates to Windows domain-joined devices and services.

By using the Lightweight Directory Access Protocol (LDAP) over SSL (LDAPS), you encrypt LDAP communications between applications and Microsoft Active Directory. Applications then use the Active Directory LDAPS protocol to read from and write to sensitive attributes of Active Directory objects, which might include personally identifiable information (PII). LDAPS helps protect PII and other sensitive information exchanged through the LDAP protocol with AWS Managed Microsoft AD over all networks. All LDAP writes must occur over LDAPS.

Benefits of Using ACM PCA Connector for AD

• Simplified PKI Management: Eliminates the need for complex CA setups.
• Scalability: ACM PCA scales to meet enterprise needs without additional infrastructure overhead.
• Cost Efficiency: Avoids the license and maintenance costs of on-premises Microsoft CAs.
• Improved Security: ACM PCA is a managed service with built-in security best practices.

Architecture Overview

The following architecture diagram illustrates how PCA Connector for AD integrates AWS managed PKI with your existing Active Directory. A domain-joined AD object initiates the process by requesting template information through the PCA Connector for AD. The PCA Connector authenticates the requestor using the AD Connector and forwards the Certificate Signing Request (CSR) to the AWS Private CA. Once validated, the CA issues the certificate and returns it using the PCA Connector. The domain-joined object then receives the certificate, and the updated Group Policy Object ensures its deployment. This architecture ensures secure, automated certificate management across domain-joined resources in a hybrid environment.

Figure 1: Architecture diagram of PCA integration with Self-managed AD using PCA connector for auto enrollment of certificates for LDAPs.

Pre-requisites

• We will use ACM PCA as the Root CA in a single tier hierarchy.
• The private CA must be in the active state to create a connector. Also, its subject name must include a common name. Creating a connector using a private CA without a common name will not work.
• The PCA Connector for AD requires an Active Directory root domain.
• AWS AD connector is required for setting up the PCA connector with Self-managed AD.
• In our example, we will use the single AD service account to set up both the AWS AD connector and the PCA connector for AD.

NOTE: You can use different service accounts and delegate permissions using the steps outlined in this blog.

• When setting up the PCA Connector for AD, you need to delegate additional permissions to the service account. Our public documentation describes the process for delegating permissions to a service account.
• To create a connector for AD, you need an IAM policy with the following permissions:
• Create connector resources.
• Share your private CA with the Connector for AD service.
• Authorize the Connector for AD service with your directory.

There is an example of this policy on our public documentation.

• Certificate templates creation for issuing certificates to the Domain controllers and client machines for LDAPS.

Architecture Components

1. AWS ACM Private CA: A highly available CA that acts as the root or subordinate CA.
2. ACM PCA Connector for AD: Facilitates certificate issuance through AD Certificate Services.
3. Microsoft Active Directory (Self-Managed): Provides authentication and policy enforcement for certificates.
4. Domain-joined clients and servers: Devices that request and consume certificates and test LDAPS communication.
5. AWS IAM Roles and Policies: Secure access control for the ACM PCA and Connector.

Step-by-step guide to set up ACM PCA Connector for AD and issue certificates to enable LDAPS

Step 1: Setup ACM Private Certificate Authority (PCA)

To set up AWS ACM Private Certificate Authority, use the steps outlined in our documentation.

While following the guide to set up PCA, select the CA type as Root and the mode as General Purpose. For this setup, CRL validation is important. Therefore, under Certificate revocation options, select Activate CRL distribution and configure it as per the instructions mentioned in the guide.

Step 2: Deploy and Configure ACM PCA Connector for AD and Enroll Certificates for LDAPs

In this step, you will deploy the AWS Private CA Connector for Active Directory. This lets Microsoft AD environments to request and enroll SSL/TLS certificates from AWS Certificate Manager Private Certificate Authority (ACM PCA). It also enables secure communication with LDAPS by automating the issuance and binding of certificates for domain controllers, ensuring encrypted LDAP traffic within your AD environment.

• Configure the AD connector with your self-managed AD using our public documentation guide, Getting started with AD Connector.
• Delegate additional permissions to the same service account using the PowerShell script provided in the pre-requisites for the PCA connector set up.
• Once the AD connector is in active state, navigate to AWS Private CA connector for Active Directory console page and click Create connector as shown in Figure 2.

Figure 2: PCA connector home page with Create Connector button

• Select On-premises Active Directory with AWS AD connector and then select the AD connector, security group, and PCA created in previous steps. Then choose Create connector as shown in Figure 3.

Figure 3: Selecting on-premise directory and adding appropriate details while creating PCA connector.

• Once the connector status shows active, configure the Group Policy Objects (GPOs) to allow domain-joined devices to request certificates. This is in step 2 of our guide, Configure Microsoft Active Directory policies.
• Set up the certificate templates for domain controller and client machines and provide permissions to the appropriate AD groups to allow them to request certificates from PCA as shown next.

Configuring certificate templates for domain controllers

• Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console.
• Choose a connector from the Connectors for Active Directory list and then choose View details.
• On the details page for the connector, find the Templates section and then choose Create template.
• On the Create template page, in the Template creation method section, choose Start from a predefined template and select Kerberos Authentication template from the list.
• In the Certificate settings section, make sure that the certificate type is machine and then set the desired validity and renewal period. Then select Common name under Subject name
• Keep the rest of the fields with their default
• In the Groups and permissions section, add the domain controllers SID value in the Security identifier Use any name you like for the display value and set Enroll and Auto-enroll permissions to ALLOW. The template will look like as the one in Figure 4.

Figure 4: Certificate template details for Kerberos authentication certificate template.

Configuring certificate templates for client machines

• Follow the previous procedure for domain controllers, but this time select the certificate template as Workstation Authentication. Add the group SID value under the Groups and permissionssection, with Enroll and Auto-Enroll set to ALLOW. The template will look like as the Figure 5.

Figure 5: Certificate template details for Workstation authentication certificate template.

Verify certificate issuance on the domain controllers and domain-joined machine

• Login to the domain controller and update the group policy for certificate auto enrolment by executing the gpupdate /force command in a command window.
• Launch local machine certificates from the Microsoft Management Console (MMC) by choosing Start and entering msc.
• Expand the Personal store and select Certificates. You will see the certificates issued to your domain controller in the middle pane as shown in Figure 6.

Figure 6: Validation of Kerberos auth certificate enrollment on Domain controller via MMC.

NOTE: By default, AWS Private CA applies the template to your policy when the client refreshes the policy cache, which is every eight hours. If you don’t see the certificate enrollment after group policy update, then execute the following command in a command window as Administrator to flush the cache for immediate certificate enrollment.

For Machine enrollment policy

certutil -f -policyserver * -policycache delete

For User enrolment policy cache

certutil -f -user -policyserver * -policycache delete

Step 3: Test LDAPS access by using the LDP tool

In this step, you will test the LDAPS connection to the self-managed Microsoft AD directory by using the LDP tool. The LDP tool is available on the EC2 Instance machine where you installed Active Directory Administration Tools. Before you test the LDAPS connection, you must verify the certificates issued to your domain controllers and client machine. To test LDAPS, you connect to one of the domain controllers using port 636.

To test the LDAPS connection use the following steps.

• Log in to client machine as any domain user.
• Launch the exetool by choosing Start and entering LDP.exe.
• In the LDP tool, open the Connection menu and choose Connect…

Figure 7: LDP tool, Connect

In the Connect window, enter the required information.

• For Server, enter the DNS name of your domain. In this example, the domain name is pcatest.local.
• For Port, enter 636.
• Select SSL.
• Choose OK to connect to the directory through LDAPS.

Figure 8: LDP Connect input

• The following message will show up confirming that your LDAPS connection is now open.

Figure 9: LDP successful LDAPS connection

Step 4: Monitor and Manage ACM PCA

In this step, you will implement monitoring and management for ACM Private Certificate Authority (ACM PCA) using AWS tools such as AWS CloudTrail for auditing API activity. You’ll also manage CA lifecycle states, permissions, and revocation configurations to ensure secure and reliable certificate operations.

• Use the AWS CloudTrail console page to audit CA activities like IssueCertificate API action to help diagnose certificate enrollment issues.
• Additional troubleshooting steps for AWS PCA are in our documentation, Troubleshoot issues with AWS Private Certificate Authority.
• To diagnose and fix AWS Private Certificate Authority Connector for AD issues, follow the information in Troubleshoot issues with AWS Private CA Connector for Active Directory.

Cleanup

Configuring AWS services from this post will create resources which incur cost. It is a best practice to delete configurations and resources that you are no longer using so that you do not incur unintended charges.

To avoid ongoing charges and maintenance for the resources that you created in AWS, follow these steps:

• Delete the PCA connector.
• Delete the PCA.
• Delete the AWS AD Connector.
• Remove the GPO for created for the certificate auto enrollment.

Conclusion

In this post, you learned how to enable LDAPS for your Microsoft AD directory. Enabling LDAPS helps you protect PII and other sensitive information exchanged over untrusted networks between your Windows and Linux applications and your Microsoft AD.

By integrating ACM PCA Connector for AD into your Active Directory environment, you achieve a scalable, cost-effective, and managed PKI solution. This approach simplifies certificate management while improving security and reliability compared to traditional, fully self-managed AD CS deployments.

If you’re looking to modernize your Active Directory PKI, ACM PCA Connector for AD is a powerful and secure alternative.

Start by setting up ACM PCA today and integrate it with your Active Directory for a seamless PKI experience!

Additional Resources

• AWS Certificate Manager Private CA Documentation
• AWS ACM PCA Connector for AD Setup Guide
• https://cloudwatch-portal.com/blogs/security/

AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.