PingID Administration Guide

Creating an issuance certificate in PingOne

The PingID Windows Login - Passwordless solution uses certificate-based authentication (CBA), so a certificate is required for each user that will sign on. This requires that you create an issuance certificate in PingOne, and then publish the certificate.

Steps

  1. Create an issuance certificate in PingOne, following the instructions in Adding a certificate and key pair in the PingOne documentation. When creating the certificate, set the Usage Type to Issuance, and for the Signature Algorithm, select SHA256withRSA.

  2. Publish the issuance (CA) certificate.

    • To publish to Active Directory: certutil -dspublish -f <CA certificate filename> NTAuthCA

    • To publish to the Microsoft Entra admin center:

      • Select Entra ID > Certificate authorities.

      • Upload the root CA certificate you created in the previous step.

  3. To verify that the certificate was published:

    • Active Directory: Run the following command and make sure that you see the CA certificate in the list: certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>"

    • Microsoft Entra Admin Center: Go to Entra ID > Certificate authorities and verify that the CA certificate is listed.

  4. Active Directory: Import the CA certificate in the Group Policy Management Console (GPMC) in order to publish the CA certificate to end users' computers:

    1. Open the Group Policy Management Console (GPMC).

    2. Locate the relevant domain.

    3. Locate the group policy you will be using.

    4. Under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, select Trusted Root Certification Authorities and import the CA certificate.