---
title: Creating an issuance certificate in PingOne
description: The PingID Windows Login - Passwordless solution uses certificate-based authentication (CBA), so a certificate is required for each user that will sign on. This requires that you create an issuance certificate in PingOne, and then publish the certificate.
component: pingid
page_id: pingid:pingid_integrations:pid_creating_issuance_certificate_in_p1
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_creating_issuance_certificate_in_p1.html
revdate: May 24, 2026
section_ids:
  steps: Steps
---

# Creating an issuance certificate in PingOne

The PingID Windows Login - Passwordless solution uses certificate-based authentication (CBA), so a certificate is required for each user that will sign on. This requires that you create an *issuance* certificate in PingOne, and then publish the certificate.

## Steps

1. Create an issuance certificate in PingOne, following the instructions in [Adding a certificate and key pair](http://docs.pingidentity.com/pingone/settings/p1_addcertificate.html) in the PingOne documentation. When creating the certificate, set the **Usage Type** to **Issuance**, and for the **Signature Algorithm**, select **SHA256withRSA**.

2. Publish the issuance (CA) certificate.

   * **To publish to Active Directory**: `certutil -dspublish -f` \<CA certificate filename> `NTAuthCA`

   * **To publish to the Microsoft Entra admin center**:

     * Select **Entra ID > Certificate authorities**.

     * Upload the root CA certificate you created in the previous step.

3. To verify that the certificate was published:

   * **Active Directory**: Run the following command and make sure that you see the CA certificate in the list:` certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=`\<domain name>`"`

   * **Microsoft Entra Admin Center**: Go to **Entra ID > Certificate authorities** and verify that the CA certificate is listed.

4. **Active Directory**: Import the CA certificate in the Group Policy Management Console (GPMC) in order to publish the CA certificate to end users' computers:

   1. Open the Group Policy Management Console (GPMC).

   2. Locate the relevant domain.

   3. Locate the group policy you will be using.

   4. Under **Computer Configuration\Windows Settings\Security Settings\Public Key Policies**, select **Trusted Root Certification Authorities** and import the CA certificate.