Microsoft Active Directory Certificate Services (AD CS) with CDP/AIA on Amazon Web Services

Deploying an Active Directory Certificate Services is a straightforward way for enterprises to build their PKI infrastructure. But it does have its shortcomings, such as

• Lack of deployment in multiple regions
• High latency on CDP and AIA points

In this article, we will be showing you how your own PKI architecture while you host your CDP/AIA points on AWS.

Note: If this is your first time deploying a PKI, I recommend following ADCS Two Tier PKI Hierarchy Deployment as it is a more straightforward approach and also touches the basics.

Prerequisites

• An AWS account where we will create S3 bucket.
• A custom domain name
• An offline Windows Server VM, which will be our Root CA

[NOTE: This is a test scenario. As such, CDP and AIA points may not match your requirements. Do use values that are appropriate as per your requirements.]

Preparing CDP & AIA Points

We will create S3 Bucket that will act as our CDP/AIA points for our PKI infrastructure. We will also associate it with our custom domain to redirect it to our AWS.

Creating Amazon S3 Bucket

1. First, we need to log in to Amazon Web Services and navigate to Amazon S3.
2. Then on the right side of the pane, click on Create Bucket.
   1. In bucket name include your custom domain name (eg:bucketname.encryptionconsulting.com)
3. Click on ACLs enabled.
4. Uncheck the public access block and click on the acknowledge box.
5. Make sure all remaining settings must be a default.
6. Open the bucket > Under Permissions-> under bucket policy, click on Edit button -> click on Policy Generator
7. Under select policy type, select S3 Bucket Policy. Under Add Statement -> under principal use * -> Under Actions select Get Object -> Under Amazon Resource Name (ARN) copy Bucket ARN URL from the bucket policy & add /*at the end of ARN URL in Amazon Resource Name (ARN). Click on Add Statement.
8. Click on generate Policy.
9. Copy the text under the policy. Click on Save Changes.
10. Under Bucket -> right side of the pane, click on Upload. It might be a png/pdf/word doc for the testing.
11. Open the testing file. Copy the object URL and paste it into chrome. Then you can see your file

Binding AWS with a custom domain

1. Using one.com or a similar hosting service, In DNS settings, navigate to DNS records. Now, we need to retrieve the hostname for our AWS account. Select Web alias -> Ensure that hostname must be our bucket name -> Under will redirect to paste the URL from the testing file & remove the file name from the URL. Click on Create Record.
2. Now, we can fetch our file from our custom domain. Type http://<hostname>/<file name > in chrome.
   1. Be sure to remove s from https: to prevent issues.

Configuration of CDP & AIA Points on Root CA

Run the following commands on the command prompt of Root CA

Run the following commands to restart Active Directory Certificate Services and publish the CRL.

• net stop certsvc && net start certsvc
• certutil -crl

Publish the Root CA Certificate and CRL

1. Ensure you are logged on to our Issuing CA as Enterprise Admin. Copy Root CA Certificate and Root CA CRL files from the C:\Windows\System32\CertSrv\CertEnroll directory to Issuing CA.
2. On our Issuing CA, run the following commands at an administrative command prompt to publish Root CA Certificate and CRL in Active Directory.
   • certutil -f -dspublish <Root CA Certificate Path> RootCA
   • certutil -f -dspublish <Root CA CRL Path > <Root CA Name>
3. To add Root CA Certificate and CRL in the Certificate store in our Issuing CA, run the following command from an administrative command prompt.
   • certutil -addstore -f root <Root CA Certificate Path>
   • certutil -addstore -f root <Root CA CRL Path>
4. Ensure you are logged on to Issuing CA as Enterprise Admin. Right-click on Issuing CA, then click on Renew Certificate.
5. Copy the REQ file from Issuing CA to Root CA.

Submit the Request and Issue Encon Issuing CA Certificate

1. Ensure that you are logged on to Root CA as Admin. On Root CA, open an administrative command prompt. Then, submit the request using the following command. In the Certification Authority List dialog box, ensure that Root CA is selected and then click OK.
2. Open the Certification Authority console. In the certsrv [Certification Authority (Local)], in the console tree, expand Root CA. Click Pending Requests. In the details pane, right-click the request you just submitted, click All Tasks, and click Issue.
3. Return to the administrative command prompt to retrieve the issued certificate by running the following command   certreq -retrieve 5 <Issuing CA Certificate Path>.crt.”

Install the Encon Issuing CA Certificate on Issuing CA

1. Ensure you have logged into Issuing CA as Enterprise Admin. Open the Certification Authority console. In the Certification Authority console tree, right-click Encon Issuing CA, and then click Install CA Certificate. Display All Files (*.*) and click the Issuing CA Certificate. Click Open. In the console tree, right-click Encon Issuing CA, click All Tasks, and then click Start Service.

Configuration of CDP & AIA Points on Issuing CA

Run the following commands on the command prompt of Root CA

disable delta crls using this command.

Run the following commands to restart Active Directory Certificate Services and publish the CRL.

Upload Certificates and CRLs

1. First, we need to log in to Amazon Web Services and navigate to EC2.
2. On the pane’s right side, click Launch Instances. Ensure that name must be globally unique and must not contain spaces.
3. Operating system should be Amazon Linux 2 AMI (HVM)-Kernal 5.10, and SSD Volume Type & Architecture must be 64-bit (x86).
4. Instance type remains the same.
5. Click on Create new key pair. Click on create key pair. Ensure that name must be globally unique and must not contain spaces.
6. Make sure all remaining settings must default. On the right side of the pane, click on Launch Instances.
7. Scroll down a bit, then click on view all instances.
8. Now, navigate to IAM. On the right side of the pane, click on IAM.
9. Under dashboard -> Users-> Add Users. The maximum length of a username will be up to 64 characters. Click on Next.
10. Check the AWS management console box. Click on create an IAM user. Click on Next
11. Click on Attach policies directly. Under Permission policies, in the search bar, type s3 and check the AmazonS3FullAccess box. Click on Next.
12. Under Review & create, click on create the user.
13. Under Retrieve password -> click on return to users list
14. Select the user we have configured -> Under the user, select Security Credentials.
15. Under Security credentials -> select Access keys -> click create an access key.
16. Select Command Line Interface (CLI). Make sure to click on the acknowledge box. Click on Next.
17. Maximum length of a set description tag will be up to 256 characters. Click on Create access key.
18. Under Retrieve access keys -> click on the download .csv file.
19. Install AWS Command Line Interface. Double click on AWS CLI set up. It will open the new wizard. In the initial screen, click Next to continue.
20. Then, in the next window, accept the license agreement and click Next to proceed.
21. Click on Next.
22. On the next page, click on Install to begin the installation process.
23. Once installation is completed, click on Finish.
24. Open Command Prompt and run the following command to upload the CRLs & CRT :
    • aws –version
    • aws configure.

    Note: Write down the AWS Access Key, AWS Secret Access key & default region name from the downloaded .csv file. In Default output format, leave it none & press enter it.

25. Run the following command to upload the CRLs & CRT:

    • aws s3 ls
    • aws s3 ls s3://eroot.encryptionconsulting.com
    Note: eroot.encryptionconsulting.com is our bucket name
26. Now, it’s time to upload the certificate & CRLs from our system to AWS by running the following command:
    • aws s3 sync C:\aws-s3<Folder name > s3: \\eroot.encryptionconsuting.com <bucket name >
27.  Now check successfully if we have uploaded the certificate & CRLs.
    • aws s3 ls s3://eroot.encryptionconsulting.com
    Note: aws-s3 is our folder name & eroot.encryptionconsulting.com is our bucket name.
28. Now run the pkiview. msc command on Cmd, and we successfully deployed our CDP/AIA points on AWS. Note: Files may need to be renamed for cdp and aia urls to work

Conclusion

This concludes our AD CS installation with AWS Services. It is easier to manage, but we also achieve high availability using AWS. This will help organizations create PKI that can be operational worldwide with minimal latency and high performance no matter where you are.