# Configure Windows Server as a certificate authority (CA) with Client SDK 3
<a name="win-ca-overview-sdk3"></a>

In a public key infrastructure (PKI), a certificate authority (CA) is a trusted entity that issues digital certificates. These digital certificates bind a public key to an identity (a person or organization) by means of public key cryptography and digital signatures. To operate a CA, you must maintain trust by protecting the private key that signs the certificates issued by your CA. You can store the private key in the HSM in your AWS CloudHSM cluster, and use the HSM to perform the cryptographic signing operations.

In this tutorial, you use Windows Server and AWS CloudHSM to configure a CA. You install the AWS CloudHSM client software for Windows on your Windows server, then add the Active Directory Certificate Services (AD CS) role to your Windows Server. When you configure this role, you use an AWS CloudHSM key storage provider (KSP) to create and store the CA's private key on your AWS CloudHSM cluster. The KSP is the bridge that connects your Windows server to your AWS CloudHSM cluster. In the last step, you sign a certificate signing request (CSR) with your Windows Server CA.

For more information, see the following topics:

**Topics**
+ [

## Step 1: Set up the prerequisites
](#win-ca-prerequisites-sdk3)
+ [

## Step 2: Create a Windows Server CA with AWS CloudHSM
](#win-ca-setup-sdk3)
+ [

## Step 3: Sign a certificate signing request (CSR) with your Windows Server CA with AWS CloudHSM
](#win-ca-sign-csr-sdk3)

## Step 1: Set up the prerequisites
<a name="win-ca-prerequisites-sdk3"></a>

To set up Windows Server as a certificate authority (CA) with AWS CloudHSM, you need the following:
+ An active AWS CloudHSM cluster with at least one HSM.
+ An Amazon EC2 instance running a Windows Server operating system with the AWS CloudHSM client software for Windows installed. This tutorial uses Microsoft Windows Server 2016.
+ A cryptographic user (CU) to own and manage the CA's private key on the HSM.

**To set up the prerequisites for a Windows Server CA with AWS CloudHSM**

1. Complete the steps in [Getting started](getting-started.md). When you launch the Amazon EC2 client, choose a Windows Server AMI. This tutorial uses Microsoft Windows Server 2016. When you complete these steps, you have an active cluster with at least one HSM. You also have an Amazon EC2 client instance running Windows Server with the AWS CloudHSM client software for Windows installed.

1. (Optional) Add more HSMs to your cluster. For more information, see [Adding an HSM to an AWS CloudHSM cluster](add-hsm.md).

1. Connect to your client instance. For more information, see [Connect to Your Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EC2_GetStarted.html#ec2-connect-to-instance-windows) in the *Amazon EC2 User Guide*.

1. Create a crypto user (CU) using [Managing HSM users with CloudHSM CLI](manage-hsm-users-chsm-cli.md) or [Managing HSM users with CloudHSM Management Utility (CMU)](manage-hsm-users-cmu.md). Keep track of the CU user name and password. You will need them to complete the next step.

1. [Set the login credentials for the HSM](ksp-library-prereq.md), using the CU user name and password that you created in the previous step.

1. In step 5, if you used Windows Credentials Manager to set HSM credentials, download [https://live.sysinternals.com/psexec.exe](https://live.sysinternals.com/psexec.exe) from SysInternals to run the following command as *NT Authority\$1SYSTEM*:

   ```
   	  psexec.exe -s "C:\Program Files\Amazon\CloudHsm\tools\set_cloudhsm_credentials.exe" --username <USERNAME> --password <PASSWORD>
   ```

   Replace *<USERNAME>* and *<PASSWORD>* with the HSM credentials.

To create a Windows Server CA with AWS CloudHSM, go to [Create Windows Server CA](#win-ca-setup-sdk3).

## Step 2: Create a Windows Server CA with AWS CloudHSM
<a name="win-ca-setup-sdk3"></a>

To create a Windows Server CA, you add the Active Directory Certificate Services (AD CS) role to your Windows Server. When you add this role, you use an AWS CloudHSM key storage provider (KSP) to create and store the CA's private key on your AWS CloudHSM cluster.

**Note**  
When you create your Windows Server CA, you can choose to create a root CA or a subordinate CA. You typically make this decision based on the design of your public key infrastructure and the security policies of your organization. This tutorial explains how to create a root CA for simplicity.

**To add the AD CS role to your Windows Server and create the CA's private key**

1. If you haven't already done so, connect to your Windows server. For more information, see [Connect to Your Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EC2_GetStarted.html#ec2-connect-to-instance-windows) in the *Amazon EC2 User Guide*.

1. On your Windows server, start **Server Manager**.

1. In the **Server Manager** dashboard, choose **Add roles and features**.

1. Read the **Before you begin** information, and then choose **Next**.

1. For **Installation Type**, choose **Role-based or feature-based installation**. Then choose **Next**.

1. For **Server Selection**, choose **Select a server from the server pool**. Then choose **Next**.

1. For **Server Roles**, do the following:

   1. Select **Active Directory Certificate Services**.

   1. For **Add features that are required for Active Directory Certificate Services**, choose **Add Features**.

   1. Choose **Next** to finish selecting server roles.

1. For **Features**, accept the defaults, and then choose **Next**.

1. For **AD CS**, do the following:

   1. Choose **Next**.

   1. Select **Certification Authority**, and then choose **Next**.

1. For **Confirmation**, read the confirmation information, and then choose **Install**. Do not close the window.

1. Choose the highlighted **Configure Active Directory Certificate Services on the destination server** link.

1. For **Credentials**, verify or change the credentials displayed. Then choose **Next**.

1. For **Role Services**, select **Certification Authority**. Then choose **Next**.

1. For **Setup Type**, select **Standalone CA**. Then choose **Next**.

1. For **CA Type**, select **Root CA**. Then choose **Next**.
**Note**  
You can choose to create a root CA or a subordinate CA based on the design of your public key infrastructure and the security policies of your organization. This tutorial explains how to create a root CA for simplicity.

1. For **Private Key**, select **Create a new private key**. Then choose **Next**.

1. For **Cryptography**, do the following:

   1. For **Select a cryptographic provider**, choose one of the **Cavium Key Storage Provider** options from the menu. These are the AWS CloudHSM key storage providers. For example, you can choose **RSA\$1Cavium Key Storage Provider**.

   1. For **Key length**, choose one of the key length options.

   1. For **Select the hash algorithm for signing certificates issued by this CA**, choose one of the hash algorithm options.

   Choose **Next**.

1. For **CA Name**, do the following:

   1. (Optional) Edit the common name.

   1. (Optional) Type a distinguished name suffix.

   Choose **Next**.

1. For **Validity Period**, specify a time period in years, months, weeks, or days. Then choose **Next**.

1. For **Certificate Database**, you can accept the default values, or optionally change the location for the database and the database log. Then choose **Next**.

1. For **Confirmation**, review the information about your CA; Then choose **Configure**.

1. Choose **Close**, and then choose **Close** again.

You now have a Windows Server CA with AWS CloudHSM. To learn how to sign a certificate signing request (CSR) with your CA, go to [Sign a CSR](#win-ca-sign-csr-sdk3).

## Step 3: Sign a certificate signing request (CSR) with your Windows Server CA with AWS CloudHSM
<a name="win-ca-sign-csr-sdk3"></a>

You can use your Windows Server CA with AWS CloudHSM to sign a certificate signing request (CSR). To complete these steps, you need a valid CSR. You can create a CSR in several ways, including the following:
+ Using OpenSSL
+ Using the Windows Server Internet Information Services (IIS) Manager
+ Using the certificates snap-in in the Microsoft Management Console
+ Using the **certreq** command line utility on Windows

The steps for creating a CSR are outside the scope of this tutorial. When you have a CSR, you can sign it with your Windows Server CA.

**To sign a CSR with your Windows Server CA**

1. If you haven't already done so, connect to your Windows server. For more information, see [Connect to Your Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EC2_GetStarted.html#ec2-connect-to-instance-windows) in the *Amazon EC2 User Guide*.

1. On your Windows server, start **Server Manager**.

1. In the **Server Manager** dashboard, in the top right corner, choose **Tools**, **Certification Authority**.

1. In the **Certification Authority** window, choose your computer name.

1. From the **Action** menu, choose **All Tasks**, **Submit new request**.

1. Select your CSR file, and then choose **Open**.

1. In the **Certification Authority** window, double-click **Pending Requests**.

1. Select the pending request. Then, from the **Action** menu, choose **All Tasks**, **Issue**.

1. In the **Certification Authority** window, double-click **Issued Requests** to view the signed certificate.

1. (Optional) To export the signed certificate to a file, complete the following steps:

   1. In the **Certification Authority** window, double-click the certificate.

   1. Choose the **Details** tab, and then choose **Copy to File**.

   1. Follow the instructions in the **Certificate Export Wizard**.

You now have a Windows Server CA with AWS CloudHSM, and a valid certificate signed by the Windows Server CA.