PingID Administration Guide

Creating an issuance certificate in PingOne

The PingID Windows Login - Passwordless solution uses Certificate-Based Authentication (CBA), and therefore a certificate is required for each user that will be logging in. This requires that you create an "issuance" certificate in PingOne, and then publish the certificate..

Steps

  1. Create an issuance certificate in PingOne, following the instructions in Adding a certificate and key pair in the PingOne documentation. When creating the certificate, set the Usage Type to Issuance and for the Signature Algorithm select SHA256withRSA.

  2. Publish the issuance (CA) certificate to Active Directory: certutil -dspublish -f <CA certificate filename> NTAuthCA

  3. To verify that the certificate was published, run the following command and make sure that you see the CA certificate in the list: certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>"

  4. Import the CA certificate in the Group Policy Management Console (GPMC) in order to publish the CA certificate to end users' computers:

    1. Open the Group Policy Management Console (GPMC).

    2. Locate the relevant domain.

    3. Locate the group policy you will be using.

    4. Under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, select Trusted Root Certification Authorities and import the CA certificate.