# Secure your AD Connector directory
You can use features like multi-factor authentication (MFA), client-side Lightweight Directory Access Protocol over Secure Sockets Layer (SSL)/Transport Layer Security (TLS) (LDAPS), and AWS Private Certificate Authority to secure your AD Connector. Ways you can secure your AD Connector include:
+ Enable MFA which increases your AD Connector security.
+ Enable client-side Lightweight Directory Access Protocol over Secure Socket Layer (SSL)/Transport Layer Security (TLS) (LDAPS) so that communications over LDAP are encrypted and improves security.
+ Enable certificate-based mutual Transport Layer Security (mTLS) authentication with smart cards which allows users to authenticate in to Amazon Web Services through your Active Directory and AD Connector.
+ Update your AD Connector service account credentials.
+ Set up AWS Private CA Connector for AD so you can issue and manage certificates for your AD Connector.
**Topics**
+ [Enabling multi-factor authentication for AD Connector](ad_connector_mfa.md)
+ [Enabling client-side LDAPS using AD Connector](ad_connector_ldap_client_side.md)
+ [Enabling mTLS authentication in AD Connector for use with smart cards](ad_connector_clientauth.md)
+ [Updating your AD Connector service account credentials in AWS Management Console](ad_connector_update_creds.md)
+ [Set up AWS Private CA Connector for AD](ad_connector_pca_connector.md)
# Enabling multi-factor authentication for AD Connector
You can enable multi-factor authentication for AD Connector when you have Active Directory running on-premises or in Amazon EC2 instances. For more information about using multi-factor authentication with Directory Service, see [AD Connector prerequisites](ad_connector_getting_started.md#prereq_connector).
**Note**
Multi-factor authentication is not available for Simple AD. However, MFA can be enabled for your AWS Managed Microsoft AD directory. For more information, see [Enabling multi-factor authentication for AWS Managed Microsoft AD](ms_ad_mfa.md).
**To enable multi-factor authentication for AD Connector**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your AD Connector directory.
1. On the **Directory details** page, select the **Networking & security** tab.
1. In the **Multi-factor authentication** section, choose **Actions**, and then choose **Enable**.
1. On the **Enable multi-factor authentication (MFA)** page, provide the following values:
**Display label**
Provide a label name.
**RADIUS server DNS name or IP addresses**
The IP addresses of your RADIUS server endpoints, or the IP address of your RADIUS server load balancer. You can enter multiple IP addresses by separating them with a comma (e.g., `192.0.0.0,192.0.0.12`).
RADIUS MFA is applicable only to authenticate access to the AWS Management Console, or to Amazon Enterprise applications and services such as WorkSpaces, Amazon Quick, or Amazon Chime. It does not provide MFA to Windows workloads running on EC2 instances, or for signing into an EC2 instance. Directory Service does not support RADIUS Challenge/Response authentication.
Users must have their MFA code at the time they enter their username and password. Alternatively, you must use a solution that performs MFA out-of-band such as SMS text verification for the user. In out-of-band MFA solutions, you must make sure you set the RADIUS time-out value appropriately for your solution. When using an out-of-band MFA solution, the sign-in page will prompt the user for an MFA code. In this case, the best practice is for users to enter their password in both the password field and the MFA field.
**Port**
The port that your RADIUS server is using for communications. Your on-premises network must allow inbound traffic over the default RADIUS server port (UDP:1812) from the Directory Service servers.
**Shared secret code**
The shared secret code that was specified when your RADIUS endpoints were created.
**Confirm shared secret code**
Confirm the shared secret code for your RADIUS endpoints.
**Protocol**
Select the protocol that was specified when your RADIUS endpoints were created.
**Server timeout (in seconds)**
The amount of time, in seconds, to wait for the RADIUS server to respond. This must be a value between 1 and 50.
**Max RADIUS request retries**
The number of times that communication with the RADIUS server is attempted. This must be a value between 0 and 10.
Multi-factor authentication is available when the **RADIUS Status** changes to **Enabled**.
1. Choose **Enable**.
# Enabling client-side LDAPS using AD Connector
Client-side LDAPS support in AD Connector encrypts communications between Microsoft Active Directory (AD) and AWS applications. Examples of such applications include WorkSpaces, AWS IAM Identity Center, Quick, and Amazon Chime. This encryption helps you to better protect your organization's identity data and meet your security requirements.
You can also deregister and disable client-side LDAPS.
**Topics**
+ [Prerequisites](#prereqs-ldap-client-side)
+ [Enabling client-side LDAPS](#enable-ldap-client-side)
+ [Managing client-side LDAPS](manage-ldap-client-side.md)
## Prerequisites
Before you enable client-side LDAPS, you need to meet the following requirements.
**Topics**
+ [Deploy server certificates in Active Directory](#deploy_server_certs_ldap_client_side)
+ [CA certificate requirements](#cert_requirements_ldap_client_side)
+ [Networking requirements](#networking_requirements_ldap_client_side)
### Deploy server certificates in Active Directory
In order to enable client-side LDAPS, you need to obtain and install server certificates for each domain controller in Active Directory. These certificates will be used by the LDAP service to listen for and automatically accept SSL connections from LDAP clients. You can use SSL certificates that are either issued by an in-house Active Directory Certificate Services (ADCS) deployment or purchased from a commercial issuer. For more information on Active Directory server certificate requirements, see [LDAP over SSL (LDAPS) Certificate](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) on the Microsoft website.
### CA certificate requirements
A certificate authority (CA) certificate, which represents the issuer of your server certificates, is required for client-side LDAPS operation. CA certificates are matched with the server certificates that are presented by your Active Directory domain controllers to encrypt LDAP communications. Note the following CA certificate requirements:
+ To register a certificate, it must be more than 90 days away from expiration.
+ Certificates must be in Privacy-Enhanced Mail (PEM) format. If exporting CA certificates from inside Active Directory, choose base64 encoded X.509 (.CER) as the export file format.
+ A maximum of five (5) CA certificates can be stored per AD Connector directory.
+ Certificates using the RSASSA-PSS signature algorithm are not supported.
### Networking requirements
AWS application LDAP traffic will run exclusively on TCP port 636, with no fallback to LDAP port 389. However, Windows LDAP communications supporting replication, trusts, and more will continue using LDAP port 389 with Windows-native security. Configure AWS security groups and network firewalls to allow TCP communications on port 636 in AD Connector (outbound) and self-managed Active Directory (inbound).
## Enabling client-side LDAPS
To enable client-side LDAPS, you import your certificate authority (CA) certificate into AD Connector, and then enable LDAPS on your directory. Upon enabling, all LDAP traffic between AWS applications and your self-managed Active Directory will flow with Secure Sockets Layer (SSL) channel encryption.
You can use two different methods to enable client-side LDAPS for your directory. You can use either the AWS Management Console method or the AWS CLI method.
### Registering certificate in Directory Service
Use either of the following methods to register a certificate in Directory Service.
**Method 1: To register your certificate in Directory Service (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your directory.
1. On the **Directory details** page, choose the **Networking & security** tab.
1. In the **Client-side LDAPS** section, select the **Actions** menu, and then select **Register certificate**.
1. In the **Register a CA certificate** dialog box, select **Browse**, and then select the certificate and choose **Open**.
1. Choose **Register certificate**.
**Method 2: To register your certificate in Directory Service (AWS CLI)**
+ Run the following command. For the certificate data, point to the location of your CA certificate file. A certificate ID will be provided in the response.
```
aws ds register-certificate --directory-id your_directory_id --certificate-data file://your_file_path
```
### Checking registration status
To see the status of a certificate registration or a list of registered certificates, use either of the following methods.
**Method 1: To check certificate registration status in Directory Service (AWS Management Console)**
1. Go to the **Client-side LDAPS** section on the **Directory details** page.
1. Review the current certificate registration state that is displayed under the **Registration status** column. When the registration status value changes to **Registered**, your certificate has been successfully registered.
**Method 2: To check certificate registration status in Directory Service (AWS CLI)**
+ Run the following command. If the status value returns `Registered`, your certificate has been successfully registered.
```
aws ds list-certificates --directory-id your_directory_id
```
### Enabling client-side LDAPS
Use either of the following methods to enable client-side LDAPS in Directory Service.
**Note**
You must have successfully registered at least one certificate before you can enable client-side LDAPS.
**Method 1: To enable client-side LDAPS in Directory Service (AWS Management Console)**
1. Go to the **Client-side LDAPS** section on the **Directory details** page.
1. Choose **Enable**. If this option is not available, verify that a valid certificate has been successfully registered, and then try again.
1. In the **Enable client-side LDAPS** dialog box, choose **Enable**.
**Method 2: To enable client-side LDAPS in Directory Service (AWS CLI)**
+ Run the following command.
```
aws ds enable-ldaps --directory-id your_directory_id --type Client
```
### Checking LDAPS status
Use either of the following methods to check the LDAPS status in Directory Service.
**Method 1: To check LDAPS status in Directory Service (AWS Management Console)**
1. Go to the **Client-side LDAPS** section on the **Directory details** page.
1. If the status value is displayed as **Enabled**, LDAPS has been successfully configured.
**Method 2: To check LDAPS status in Directory Service (AWS CLI)**
+ Run the following command. If the status value returns `Enabled`, LDAPS has been successfully configured.
```
aws ds describe-ldaps-settings –directory-id your_directory_id
```
For more information on viewing your client-side LDAPS certificate, deregistering or disabling your LDAPS certificate, see [Managing client-side LDAPS](manage-ldap-client-side.md).
# Managing client-side LDAPS
Use these commands to manage your LDAPS configuration.
You can use two different methods to manage client-side LDAPS settings. You can use either the AWS Management Console method or the AWS CLI method.
## View certificate details
Use either of the following methods to see when a certificate is set to expire.
**Method 1: To view certificate details in Directory Service (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your directory.
1. On the **Directory details** page, choose the **Networking & security** tab.
1. In the **Client-side LDAPS** section, under **CA certificates**, information about the certificate will be displayed.
**Method 2: To view certificate details in Directory Service (AWS CLI)**
+ Run the following command. For the certificate ID, use the identifier returned by `register-certificate` or `list-certificates`.
```
aws ds describe-certificate --directory-id your_directory_id --certificate-id your_cert_id
```
## Deregister a certificate
Use either of the following methods to deregister a certificate.
**Note**
If only one certificate is registered, you must first disable LDAPS before you can deregister the certificate.
**Method 1: To deregister a certificate in Directory Service (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your directory.
1. On the **Directory details** page, choose the **Networking & security** tab.
1. In the **Client-side LDAPS** section, choose **Actions**, and then choose **Deregister certificate**.
1. In the **Deregister a CA certificate** dialog box, choose **Deregister**.
**Method 2: To deregister a certificate in Directory Service (AWS CLI)**
+ Run the following command. For the certificate ID, use the identifier returned by `register-certificate` or `list-certificates`.
```
aws ds deregister-certificate --directory-id your_directory_id --certificate-id your_cert_id
```
## Disable client-side LDAPS
Use either of the following methods to disable client-side LDAPS.
**Method 1: To disable client-side LDAPS in Directory Service (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your directory.
1. On the **Directory details** page, choose the **Networking & security** tab.
1. In the **Client-side LDAPS** section, choose **Disable**.
1. In the **Disable client-side LDAPS** dialog box, choose **Disable**.
**Method 2: To disable client-side LDAPS in Directory Service (AWS CLI)**
+ Run the following command.
```
aws ds disable-ldaps --directory-id your_directory_id --type Client
```
# Enabling mTLS authentication in AD Connector for use with smart cards
You can use certificate-based mutual Transport Layer Security (mTLS) authentication with smart cards to authenticate users into Amazon WorkSpaces through your self-managed Active Directory (AD) and AD Connector. When enabled, users select their smart card at the WorkSpaces login screen and enter a PIN to authenticate, instead of using a username and password. From there, the Windows or Linux virtual desktop uses the smart card to authenticate into AD from the native desktop OS.
**Note**
Smart card authentication in AD Connector is only available in the following AWS Regions, and only with WorkSpaces. Other AWS applications are not supported at this time.
US East (N. Virginia)
US West (Oregon)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Europe (Ireland)
AWS GovCloud (US-West)
AWS GovCloud (US-East)
You can also deregister and disable the certificates.
**Topics**
+ [Prerequisites](#prereqs-clientauth)
+ [Enabling smart card authentication](#enable-clientauth)
+ [Managing smart card authentication settings](manage-clientauth.md)
## Prerequisites
To enable certificate-based mutual Transport Layer Security (mTLS) authentication using smart cards for the Amazon WorkSpaces client, you need an operational smart card infrastructure integrated with your self-managed Active Directory. For more information on how to set up smart card authentication with Amazon WorkSpaces and Active Directory, see the [Amazon WorkSpaces Administration Guide](https://docs.aws.amazon.com/workspaces/latest/adminguide/smart-cards.html).
Before you enable smart card authentication for WorkSpaces, please review the following prerequisites:
+ [CA certificate requirements](#ca-cert)
+ [User certificate requirements](#user-cert)
+ [Certificate revocation checking process](#ocsp)
+ [Considerations](#other)
### CA certificate requirements
AD Connector requires a certificate authority (CA) certificate, which represents the issuer of your user certificates, for smart card authentication. AD Connector matches CA certificates with the certificates presented by your users with their smart cards. Note the following CA certificate requirements:
+ Before you can register a CA certificate, it must be more than 90 days away from expiration.
+ CA certificates must be in Privacy-Enhanced Mail (PEM) format. If you export CA certificates from inside Active Directory, choose Base64-encoded X.509 (.CER) as the export file format.
+ All root and intermediary CA certificates that chain from an issuing CA to user certificates must be uploaded for smart card authentication to succeed.
+ A maximum of 100 CA certificates can be stored per AD Connector directory
+ AD Connector does not support the RSASSA-PSS signature algorithm for CA certificates.
+ Verify the Certificate Propagation Service is set to Automatic and running.
### User certificate requirements
The following are some of the requirements for the user certificate:
+ The user's smart card certificate has a Subject Alternative Name (SAN) of the user's userPrincipalName (UPN).
+ The user's smart card certificate has Enhanced Key Usage as the smart card log-on (1.3.6.1.4.1.311.20.2.2) Client Authentication (1.3.6.1.5.5.7.3.2).
+ The Online Certificate Status Protocol (OCSP) information for the user's smart card certificate should be Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) in the Authority Information Access.
For more information on AD Connector and smart card authentication requirements, see [Requirements](https://docs.aws.amazon.com//workspaces/latest/adminguide/smart-cards.html#smart-cards-requirements) in *Amazon WorkSpaces Administration Guide*. For help troubleshooting Amazon WorkSpaces issues, like logging into WorkSpaces, resetting password, or connecting to WorkSpaces, see [Troubleshoot WorkSpaces client issues](https://docs.aws.amazon.com//workspaces/latest/userguide/client_troubleshooting.html) in *Amazon WorkSpaces User Guide*.
### Certificate revocation checking process
In order to perform smart card authentication, AD Connector must check the revocation status of user certificates using Online Certificate Status Protocol (OCSP). To perform certificate revocation checking, an OCSP responder URL must be internet-accessible. If using a DNS name, an OCSP responder URL must use a top-level domain found in the [Internet Assigned Numbers Authority (IANA) Root Zone Database](https://www.iana.org/domains/root/db).
**Note**
Directories created after October 7, 2025, require that OCSP servers used for SmartCard certificate validation be routable through your VPC's network configuration. If your OCSP server is not accessible via your VPC's routing tables, security groups, and network ACLs, SmartCard authentication will fail during certificate revocation checks. To resolve this issue, please ensure that:
Network Routing: Your VPC route tables allow traffic to reach your OCSP server from the subnets where your AD Connector directory instances are deployed.
Security Groups: The security groups associated with your directory's network interfaces permit outbound traffic to your OCSP server on port 80 (HTTP).
Network ACLs: Your subnet network ACLs allow bidirectional traffic to/from your OCSP server.
Internet Gateway/NAT: If your OCSP server is internet-facing, ensure your VPC has appropriate internet gateway or NAT gateway configuration for the directory subnets. If your network type is IPv4, you will need to have NAT and internet gateway configured with your VPC.
AD Connector certificate revocation checking uses the following process:
+ AD Connector must check the Authority Information Access (AIA) extension in the user certificate for an OCSP responder URL, then AD Connector uses the URL to check for revocation.
+ If AD Connector cannot resolve the URL found in the user certificate AIA extension, or find an OCSP responder URL in the user certificate, then AD Connector uses the optional OCSP URL provided during root CA certificate registration.
If the URL in the user certificate AIA extension resolves but is unresponsive, then user authentication fails.
+ If the OCSP responder URL provided during root CA certificate registration cannot resolve, is unresponsive, or no OCSP responder URL was provided, user authentication fails.
+ The OCSP server must be compliant with [RFC 6960](https://datatracker.ietf.org/doc/html/rfc6960). Additionally, the OCSP server must support requests using the GET method for requests that are less than or equal to 255 bytes in total.
**Note**
AD Connector requires an **HTTP** URL for the OCSP responder URL.
### Considerations
Before enabling smart card authentication in AD Connector, consider the following items:
+ AD Connector uses certificate-based mutual Transport Layer Security authentication (mutual TLS) to authenticate users to Active Directory using hardware or software-based smart card certificates. Only common access cards (CAC) and personal identity verification (PIV) cards are supported at this time. Other types of hardware or software-based smart cards might work but have not been tested for use with the WorkSpaces Streaming Protocol.
+ Smart card authentication replaces username and password authentication to WorkSpaces.
If you have other AWS applications configured on your AD Connector directory with smart card authentication enabled, those applications still present the username and password input screen.
+ Enabling smart card authentication limits the user session length to the maximum lifetime for Kerberos service tickets. You can configure this setting using a Group Policy, and is set to 10 hours by default. For more information on this setting, see [Microsoft documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket).
+ The AD Connector service account's supported Kerberos encryption type should match each of the domain controller's supported Kerberos encryption type.
## Enabling smart card authentication
To enable smart card authentication for WorkSpaces on your AD Connector, first you need to import your certificate authority (CA) certificates into AD Connector. You can import your CA certificates into AD Connector using AWS Directory Service console, [API](https://docs.aws.amazon.com/directoryservice/latest/devguide/welcome.html) or [CLI](https://docs.aws.amazon.com/cli/latest/reference/ds/index.html). Use the following steps to import your CA certificates and subsequently enable smart card authentication.
**Topics**
+ [Enabling Kerberos constrained delegation for the AD Connector service account](#step1)
+ [Registering the CA certificate in AD Connector](#step2)
+ [Enabling smart card authentication for supported AWS applications and services](#step3)
### Enabling Kerberos constrained delegation for the AD Connector service account
To use smart card authentication with AD Connector, you must enable **Kerberos Constrained Delegation (KCD)** for the AD Connector Service account to the LDAP service in the self-managed AD directory.
Kerberos Constrained Delegation is a feature in Windows Server. This feature enables administrators to specify and enforce application trust boundaries by limiting the scope where application services can act on a user's behalf. For more information, see [Kerberos constrained delegation](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_key_concepts_kerberos.html).
**Note**
**Kerberos Constrained Delegation (KCD)** requires the username portion of the AD Connector service account to match the sAMAccountName of the same user. The sAMAccountName is restricted to 20 characters. sAMAccountName is a Microsoft Active Directory attribute used as a sign in name for prior versions of Windows clients and servers.
1. Use the `SetSpn` command to set a Service Principal Name (SPN) for the AD Connector service account in the self-managed AD. This enables the service account for delegation configuration.
The SPN can be any service or name combination but not a duplicate of an existing SPN. The `-s` checks for duplicates.
```
setspn -s my/spn service_account
```
1. In **AD Users and Computers**, open the context (right-click) menu and choose the AD Connector service account and choose **Properties**.
1. Choose the **Delegation** tab.
1. Choose the **Trust this user for delegation to specified service only** and **Use any authentication protocol** options.
1. Choose **Add** and then **Users or Computers** to locate the domain controller.
1. Choose **OK** to display a list of available services used for delegation.
1. Choose the **ldap** service type and choose **OK**.
1. Choose **OK** again to save the configuration.
1. Repeat this process for other domain controllers in the Active Directory. Alternatively you can automate the process using PowerShell.
### Registering the CA certificate in AD Connector
Use either of the following methods to register a CA certificate for your AD Connector directory.
**Method 1: To register your CA certificate in AD Connector (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your directory.
1. On the **Directory details** page, choose the **Networking & security** tab.
1. In the **Smart card authentication** section, choose **Actions**, and then choose **Register certificate**.
1. In the **Register a certificate** dialog box, select **Choose file**, and then choose a certificate and choose **Open**. You can optionally choose to perform revocation checking for this certificate by providing an Online Certificate Status Protocol (OCSP) responder URL. For more information about OCSP, see [Certificate revocation checking process](#ocsp).
1. Choose **Register certificate**. When you see the certificate status change to **Registered**, the registration process has completed successfully.
**Method 2: To register your CA certificate in AD Connector (AWS CLI)**
+ Run the following command. For the certificate data, point to the location of your CA certificate file. To provide a secondary OCSP responder address, use the optional `ClientCertAuthSettings` object.
```
aws ds register-certificate --directory-id your_directory_id --certificate-data file://your_file_path --type ClientCertAuth --client-cert-auth-settings OCSPUrl=http://your_OCSP_address
```
If successful, the response provides a certificate ID. You can also verify your CA certificate registered successfully by running the following CLI command:
```
aws ds list-certificates --directory-id your_directory_id
```
If the status value returns `Registered`, you have successfully registered your certificate.
### Enabling smart card authentication for supported AWS applications and services
Use either of the following methods to register a CA certificate for your AD Connector directory.
**Method 1: To enable smart card authentication in AD Connector (AWS Management Console)**
1. Navigate to the **Smart card authentication** section on the **Directory details** page, and choose **Enable**. If this option is not available, verify that a valid certificate has been successfully registered, and then try again.
1. In the **Enable smart card authentication** dialog box, select **Enable**.
**Method 2: To enable smart card authentication in AD Connector (AWS CLI)**
+ Run the following command.
```
aws ds enable-client-authentication --directory-id your_directory_id --type SmartCard
```
If successful, AD Connector returns an `HTTP 200` response with an empty HTTP body.
For more information on viewing your certificate, deregistering or disabling your certificate, see [Managing smart card authentication settings](manage-clientauth.md).
# Managing smart card authentication settings
You can use two different methods to manage smart card settings. You can use either the AWS Management Console method or the AWS CLI method.
**Topics**
+ [View certificate details](#describe-a-certificate-clientauth)
+ [Deregister a certificate](#dergister-a-certificate-clientauth)
+ [Disable smart card authentication](#disable-smart-card-clientauth)
## View certificate details
Use either of the following methods to see when a certificate is set to expire.
**Method 1: To view certificate details in Directory Service (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your AD Connector directory.
1. On the **Directory details** page, choose the **Networking & security** tab.
1. In the **Smart card authentication** section, under **CA certificates**, choose the certificate ID to display details about that certificate.
**Method 2: To view certificate details in Directory Service (AWS CLI)**
+ Run the following command. For the certificate ID, use the identifier returned by `register-certificate` or `list-certificates`.
```
aws ds describe-certificate --directory-id your_directory_id --certificate-id your_cert_id
```
## Deregister a certificate
Use either of the following methods to deregister a certificate.
**Note**
If only one certificate is registered, you must first disable smart card authentication before you can deregister the certificate.
**Method 1: To deregister a certificate in Directory Service (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your AD Connector directory.
1. On the **Directory details** page, choose the **Networking & security** tab.
1. In the **Smart card authentication** section, under **CA certificates**, select the certificate you want to deregister, choose **Actions**, and then choose **Deregister certificate**.
**Important**
Ensure that the certificate you are about to deregister is not active or is currently being used as part of a CA certificate chain for smart card authentication.
1. In the **Deregister a CA certificate** dialog box, choose **Deregister**.
**Method 2: To deregister a certificate in Directory Service (AWS CLI)**
+ Run the following command. For the certificate ID, use the identifier returned by `register-certificate` or `list-certificates`.
```
aws ds deregister-certificate --directory-id your_directory_id --certificate-id your_cert_id
```
## Disable smart card authentication
Use either of the following methods to disable smart card authentication.
**Method 1: To disable smart card authentication in Directory Service (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. Choose the directory ID link for your AD Connector directory.
1. On the **Directory details** page, choose the **Networking & security** tab.
1. In the **Smart card authentication** section, choose **Disable**.
1. In the **Disable smart card authentication** dialog box, choose **Disable**.
**Method 2: To disable smart card authentication in Directory Service (AWS CLI)**
+ Run the following command.
```
aws ds disable-client-authentication --directory-id your_directory_id --type SmartCard
```
# Updating your AD Connector service account credentials in AWS Management Console
The AD Connector credentials you provide in Directory Service represent the service account that is used to access your existing on-premises directory. You can modify the service account credentials in Directory Service by performing the following steps.
**Note**
If AWS IAM Identity Center is enabled for the directory, Directory Service must transfer the service principal name (SPN) from the current service account to the new service account. If the current service account does not have permission to delete the SPN or the new service account does not have permission to add the SPN, you are prompted for the credentials of a directory account that does have permission to perform both actions. These credentials are only used to transfer the SPN and are not stored by the service.
**To update your AD Connector service account credentials in Directory Service**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, under **Active Directory**, choose **Directories**.
1. Choose the directory ID link for your directory.
1. On the **Directory details** page, scroll down to the **Service account credentials** section.
1. In the **Service account credentials** section, choose **Update**.
1. In the **Update service account credentials** dialog box, type the service account username and password. Reenter the password to confirm it and then choose **Update**.
# Set up AWS Private CA Connector for AD
You can integrate your self-managed Active Directory with AWS Private Certificate Authority using AD Connector to issue and manage certificates for your AD domain-joined users, groups, and machines. AWS Private CA Connector for AD provides a fully managed AWS Private CA as a drop-in replacement for your self-managed enterprise CAs without requiring you to deploy, patch, or update local agents or proxy servers.
You can set up this integration through the Directory Service console, the AWS Private CA Connector for AD console, or by calling the [https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API-CreateTemplate.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API-CreateTemplate.html) API. To use the AWS Private CA Connector for Active Directory console, see [AWS Private CA Connector for Active Directory](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-ad.html). The following sections describe how to set up this integration from the Directory Service console.
## Prerequisites
For setup instructions, see [Set up Connector for AD](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-ad-getting-started-prerequisites.html) in the AWS Private CA Connector for AD User Guide.
## Setting up AWS Private CA Connector for AD
**To create a Private CA connector for Active Directory**
1. Sign in to the AWS Management Console and open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).
1. On the **Directories** page, choose your directory ID.
1. Under the **Application Management** tab and **AWS apps & services** section, choose **AWS Private CA Connector for AD**.
1. On the **Create Private CA certificate for Active Directory** page, complete the steps to create your Private CA for Active Directory connector.
For more information, see [Creating a connector](https://docs.aws.amazon.com/privateca/latest/userguide/create-connector-for-ad.html).
## View your AWS Private CA Connector for AD
**To view Private CA connector details**
1. Sign in to the AWS Management Console and open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).
1. On the **Directories** page, choose your directory ID.
1. Under the **Application Management** tab and **AWS apps & services** section, view your Private CA connectors and associated Private CA. The following fields display:
1. **AWS Private CA Connector ID** – The unique identifier for a AWS Private CA connector. Choose it to view the details page.
1. **AWS Private CA subject** – Information regarding the distinguished name for the CA. Choose it to view the details page.
1. **Status** – Status check results for the AWS Private CA Connector and AWS Private CA:
+ **Active** – Both checks pass
+ **1/2 checks failed** – One check fails
+ **Failed** – Both checks fail
For failed status details, hover over the hyperlink to see which check failed.
1. **DC Certificates Enrollment status** – Status check for domain controller certificate status:
+ **Enabled** – Certificate enrollment is enabled
+ **Disabled** – Certificate enrollment is disabled
1. **Date created** – When the AWS Private CA Connector was created.
For more information, see [View connector details](https://docs.aws.amazon.com/privateca/latest/userguide/view-connector-for-ad.html).
## Verify certificate issuance to AD users
Complete the following steps to confirm that AWS Private CA is issuing certificates to your self-managed Active Directory:
+ Restart your on-premises domain controllers.
+ View your certificates with Microsoft Management Console. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in).