Creating a connector template - AWS Private Certificate Authority

Creating a connector template

Creating a connector template (console)

Complete the following procedures to create and configure a connector template using the AWS console.

Open console

Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at https://console.aws.amazon.com/pca-connector-ad/home.

Choose connector

Choose a connector from the Connectors for Active Directory list and then choose View details.

Find template section

On the details page for the connector, find the Templates section and then choose Create template.

Template creation method

On the Create template page, in the Template creation method section, choose one of the method options.

  • Start from a predefined template (default) – Choose from a list of predefined templates for AD applications:

    • Code Signing

    • Computer

    • Domain Controller Authentication

    • EFS Recovery Agent

    • Enrollment Agent

    • Enrollment Agent (Computer)

    • IPSec

    • Kerberos Authentication

    • RAS and IAS Server

    • Smartcard Logon

    • Trust List Signing

    • User Signature

    • Workstation Authentication

  • Start from an existing template that you created – Choose from a list of custom templates that you previously created.

  • Start from a blank template – Choose this option to begin creating a completely new template.

Template settings

In the Template settings section, provide the following information:

  • Template name – The name of the template

  • Template schema version – The schema version of the template. The schema version affects the availability of template options as follows:

    Schema version 2

    • Supports client compatibility of Windows XP / Windows Server 2003 and higher.

    • Supports Legacy Cryptographic Service Providers only.

    Schema version 3

    • Supports client compatibility of Windows Vista / Windows Server 2008 and higher.

    • Supports allowing requester to renew with existing key.

    • Supports Key Storage Providers only.

    Schema version 4

    • Supports client compatibility of Windows 8 / Windows Server 2012 and higher.

    • Supports allowing requester to renew with existing key.

    • Supports Legacy Cryptographic Service Providers and Key Storage Providers.

  • Client compatibility – The minimum operating system level compatible with the template. Choose one of the listed options:

    • Windows XP / Windows Server 2003

    • Windows Vista / Windows Server 2008

    • Windows 7 / Windows Server 2008 R2

    • Windows 8 and up / Windows Server 2012

    • Windows 8 and up / Windows Server 2012 R2

    • Windows 8 and up / Windows Server 2016 and up

Configure certificate settings

In the Certificate settings section, define the following settings for certificates based on this template.

  • Certificate type – Specify whether to create User or Computer certificates.

  • Auto-enrollment – Choose whether to activate auto-enrollment for certificates based on this template.

  • Validity period – Specify a certificate validity period as an integer value of hours, days, weeks, months, or years. The minimum value is 2 hours.

  • Renewal period – Specify a certificate renewal period as an integer value of hours, days, weeks, months, or years. The renewal period must be no more than 75% of the validity period.

  • Subject name – Choose one or more options to be included in the subject name based on information contained in Active Directory.

    Note

    At least one subject name or subject alternative name option must be specified.

    • Common name

    • DNS as common name

    • Directory path

    • Email

  • Subject alternative name – Choose one or more options to be included in the subject alternative name based on information contained in Active Directory.

    Note

    At least one subject name or subject alternative name option must be specified.

    • Directory GUID

    • DNS name

    • Domain DNS

    • Email

    • Service principal name (SPN)

    • User principal name (UPN)

Configure request handling and enrollment settings

In the Certificate request handling and enrollment options section, specify the purpose of certificates based on the template, choosing one of the following options.

  • Signature

  • Encryption

  • Signature and encryption

  • Signature and smartcard logon

Next, choose which of the following features to activate. Options vary depending on the certificate purpose.

  • Delete invalid certificates (do not archive)

  • Include symmetric algorithms

  • Exportable private key

Finally, choose a certificate enrollment option. Options vary depending on the certificate purpose.

  • No user input required

  • Prompt user during enrollment

  • Prompt user during enrollment and require user input

Configure key usage extensions

In the Key usage extension settings section, choose option for usage of signature and encryption key usage.

Signature key usage

  • Digital signature

  • Signature is proof of origin (nonrepudiation)

Encryption key usage

  • Allow key exchange without key encryption (key agreement)

  • Allow key exchange only with key encryption (key encipherment)

  • Allow encryption of user data (data encipherment)

You can also choose to Make key usage extensions critical for both types of key.

Assign application policies

In the Application policies section, choose all of the application policies that apply. The available policies are listed across several pages. Some policies may be preselected because of previous settings.

Configure custom application policies

In the Custom application policies section, you can add custom OIDs to the template, and specify whether application policy extensions are critical.

Configure cryptography settings

In the Cryptography settings section, choose the following categories of cryptography settings for certificates based on this template.

  1. The content at the top of the section is determined by the Template creation method and Template settings that you chose previously.

    • If you accepted the default Template version 2 in Template settings , then the following status messages are displayed here:

      • Cryptography provider category

      • Legacy cryptographic service provider

      In this case there are no settings to configure and you can move on to the next step.

    • If you specified Template version 3 in Template settings , then the following status messages are displayed here:

      • Cryptography provider category

      • Key storage provider

      You must also choose a Key algorithm from the listed options ECDH_P256, ECDH_P384, ECDH_P521, and RSA.

    • If you specified Template version 4 in Template settings , then you must choose between a Key storage provider and a Legacy cryptographic service provider. If you choose Key storage provide, then a Key algorithm must also be chosen from the listed options ECDH_P256, ECDH_P384, ECDH_P521, and RSA.

  2. Minimum key size (bits) – Specify the minimum key size. This setting will affect which cryptography providers are available.

  3. Choose which cryptographic providers can be used for requests – Choose one of the two options available:

    • Requests can use any provider available on the subject's computer

    • Requests must use one of the following selected providers

      Choosing this option opens a Cryptography provider list. You can select and prioritize providers using the buttons in the Order column. The following providers are supported:

      • Microsoft Base Cryptographic Provider v1.0

      • Microsoft Base DSS and Diffie-Hellman Cryptographic Provider

      • Microsoft Base Smart Card Crypto Provider

      • Microsoft DH SChannel Cryptographic Provider

      • Microsoft Enhanced Cryptographic Provider v1.0

      • Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider

      • Microsoft Enhanced RSA and AES Cryptographic Provider

      • Microsoft RSA SChannel Cryptographic Provider

Configure groups and permissions

In the Groups and permissions section, you can view the templates existing groups and permissions for enrollment, or you can choose the Add new groups and permissions button to add a new ones. The button opens a form requiring the following information:

  • Display name

  • Security identifier (SID)

  • Enroll, with options ALLOW | DENY | NOT SET

  • Auto-enroll, with options ALLOW | DENY | NOT SET

Configure superseding templates

In the Supersede templates section, you can notify Active Directory that the current template supersedes one or more templates created in AD. Apply the superseding template by choosing Add template from Active Directory to supersede and specifying the common name of the superseding template.

Configure tagging

In the Tags – optional pane, you can apply and remove metadata on your AD resource. Tags are key-value string pairs where the key must be unique to the resource and the value is optional. The pane displays any existing tags for the resource in a table. The following actions are supported.

  • Choose Manage tags to open the Manage tags page.

  • Choose Add new tag to create a tag. Fill in the Key field and, optionally, the Value field. Choose Save changes to apply the tag.

  • Choose the Remove button next to a tag to mark it for deletion, and choose Save changes to confirm.

Review and create

After providing the required information and reviewing your choices, choose Create template. This opens Template details, where you can review the new template's settings, edit or delete the template, manage groups and permissions, manage superseded templates, manage tags, and set automatic re-enrollment for certificate holders.

Creating a connector template (CLI)

Use the create-template command in the AWS Private CA Connector for Active Directory section of the AWS CLI.

Creating a connector template (API)

Use the CreateTemplate action in the AWS Private CA Connector for Active Directory API.