AWS CloudHSM
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Windows Server CA Step 1: Set Up the Prerequisites

To set up Windows Server as a certificate authority (CA) with AWS CloudHSM, you need the following:

  • An active AWS CloudHSM cluster with at least one HSM.

  • An Amazon EC2 instance running a Windows Server operating system with the AWS CloudHSM client software for Windows installed. This tutorial uses Microsoft Windows Server 2016.

  • A cryptographic user (CU) to own and manage the CA's private key on the HSM.

To set up the prerequisites for a Windows Server CA with AWS CloudHSM

  1. Complete the steps in Getting Started. When you launch the Amazon EC2 client, choose a Windows Server AMI. This tutorial uses Microsoft Windows Server 2016. When you complete these steps, you have an active cluster with at least one HSM. You also have an Amazon EC2 client instance running Windows Server with the AWS CloudHSM client software for Windows installed.

  2. (Optional) Add more HSMs to your cluster. For more information, see Adding an HSM.

  3. Connect to your client instance. For more information, see Connect to Your Instance in the Amazon EC2 User Guide for Windows Instances.

  4. To create a cryptographic user (CU) on your HSM, do the following:

    1. Start the AWS CloudHSM client.

    2. Update the cloudhsm_mgmt_util configuration file.

    3. Start cloudhsm_mgmt_util.

    4. Enable end-to-end encryption.

    5. Log in to the HSMs with the user name and password of a crypto officer (CO).

    6. Create a crypto user (CU). Keep track of the CU user name and password. You will need them to complete the next step.

  5. Set the login credentials for the HSM, using the CU user name and password that you created in the previous step.

  6. In step 5, if you used Windows Credentials Manager to set HSM credentials, download psexec.exe from SysInternals to run the following command as NT Authority\SYSTEM:

    psexec.exe -s "C:\Program Files\Amazon\CloudHsm\tools\set_cloudhsm_credentials.exe" --username <username> --password <password>

    Replace <username> and <password> with the HSM credentials.

To create a Windows Server CA with AWS CloudHSM, go to Create Windows Server CA.