A public key infrastructure (PKI) creates, manages, distributes, stores, and revokes digital certificates. Windows environments use digital certificates to secure multiple types of connections. Connection types include lookups for Microsoft Active Directory LDAPS (Lightweight Directory Access Protocol over Secure Sockets Layer), Internet Information Services (IIS) HTTPS connections, Exchange Server communications, and Windows Server Update Services (WSUS).

With a Windows-hosted PKI in an Amazon Web Services (AWS) account, you can maintain your own certificates. This capability helps you reduce insecure, unsigned network traffic. To deploy a PKI environment on Windows, you install and configure certification authority (CA) roles on one or more Windows servers.

This Microsoft PKI solution deploys both a root CA and a subordinate CA. The root CA acts as the primary certification authority for an Active Directory forest. The certificates generated by the root CA sign the server and application certificates issued by the subordinate CA. The solution automatically generates an initial root certificate and then powers off the root CA's Amazon Elastic Compute Cloud (Amazon EC2) instance. This instance stays offline except when a new root certificate needs to be generated, thereby helping to ensure the root certificate's integrity.

https://aws.amazon.com/solutions/implementations/microsoft-pki/