AWS CloudHSM
User Guide

Windows Server CA Step 1: Set Up the Prerequisites

To set up Windows Server as a certificate authority (CA) with AWS CloudHSM, you need the following:

  • An active AWS CloudHSM cluster with at least one HSM.

  • An Amazon EC2 instance running a Windows Server operating system with the AWS CloudHSM client software for Windows installed. This tutorial uses Microsoft Windows Server 2016.

  • A cryptographic user (CU) to own and manage the CA's private key on the HSM.

To set up the prerequisites for a Windows Server CA with AWS CloudHSM

  1. Complete the steps in Getting Started. When you launch the Amazon EC2 client, choose a Windows Server AMI. This tutorial uses Microsoft Windows Server 2016. When you complete these steps, you have an active cluster with at least one HSM. You also have an Amazon EC2 client instance running Windows Server with the AWS CloudHSM client software for Windows installed.

  2. (Optional) Add more HSMs to your cluster. For more information, see Adding an HSM.

  3. Connect to your client instance. For more information, see Connect to Your Instance in the Amazon EC2 User Guide for Windows Instances.

  4. To create a cryptographic user (CU) on your HSM, do the following:

    1. Start the AWS CloudHSM client.

    2. Update the cloudhsm_mgmt_util configuration file.

    3. Start cloudhsm_mgmt_util.

    4. Enable end-to-end encryption.

    5. Log in to the HSMs with the user name and password of a crypto officer (CO).

    6. Create a crypto user (CU). Keep track of the CU user name and password. You will need them to complete the next step.

  5. Set the Windows system environment variables, using the CU user name and password that you created in the previous step.

To create a Windows Server CA with AWS CloudHSM, go to Create Windows Server CA.