Menu
AWS CloudHSM
User Guide

Windows Server CA Step 2: Create a Windows Server CA with AWS CloudHSM

To create a Windows Server CA, you add the Active Directory Certificate Services (AD CS) role to your Windows Server. When you add this role, you use an AWS CloudHSM key storage provider (KSP) to create and store the CA's private key on your AWS CloudHSM cluster.

Note

When you create your Windows Server CA, you can choose to create a root CA or a subordinate CA. You typically make this decision based on the design of your public key infrastructure and the security policies of your organization. This tutorial explains how to create a root CA for simplicity.

To add the AD CS role to your Windows Server and create the CA's private key

  1. If you haven't already done so, connect to your Windows server. For more information, see Connect to Your Instance in the Amazon EC2 User Guide for Windows Instances.

  2. On your Windows server, start Server Manager.

  3. In the Server Manager dashboard, choose Add roles and features.

  4. Read the Before you begin information, and then choose Next.

  5. For Installation Type, choose Role-based or feature-based installation. Then choose Next.

  6. For Server Selection, choose Select a server from the server pool. Then choose Next.

  7. For Server Roles, do the following:

    1. Select Active Directory Certificate Services.

    2. For Add features that are required for Active Directory Certificate Services, choose Add Features.

    3. Choose Next to finish selecting server roles.

  8. For Features, accept the defaults, and then choose Next.

  9. For AD CS, do the following:

    1. Choose Next.

    2. Select Certification Authority, and then choose Next.

  10. For Confirmation, read the confirmation information, and then choose Install. Do not close the window.

  11. Choose the highlighted Configure Active Directory Certificate Services on the destination server link.

  12. For Credentials, verify or change the credentials displayed. Then choose Next.

  13. For Role Services, select Certification Authority. Then choose Next.

  14. For Setup Type, select Standalone CA. Then choose Next.

  15. For CA Type, select Root CA. Then choose Next.

    Note

    You can choose to create a root CA or a subordinate CA based on the design of your public key infrastructure and the security policies of your organization. This tutorial explains how to create a root CA for simplicity.

  16. For Private Key, select Create a new private key. Then choose Next.

  17. For Cryptography, do the following:

    1. For Select a cryptographic provider, choose one of the Cavium Key Storage Provider options from the menu. These are the AWS CloudHSM key storage providers. For example, you can choose RSA#Cavium Key Storage Provider.

    2. For Key length, choose one of the key length options.

    3. For Select the hash algorithm for signing certificates issued by this CA, choose one of the hash algorithm options.

    Choose Next.

  18. For CA Name, do the following:

    1. (Optional) Edit the common name.

    2. (Optional) Type a distinguished name suffix.

    Choose Next.

  19. For Validity Period, specify a time period in years, months, weeks, or days. Then choose Next.

  20. For Certificate Database, you can accept the default values, or optionally change the location for the database and the database log. Then choose Next.

  21. For Confirmation, review the information about your CA; Then choose Configure.

  22. Choose Close, and then choose Close again.

You now have a Windows Server CA with AWS CloudHSM. To learn how to sign a certificate signing request (CSR) with your CA, go to Sign a CSR.