Creating an issuance certificate in PingOne
The PingID Windows Login - Passwordless solution uses Certificate-Based Authentication (CBA), and therefore a certificate is required for each user that will be logging in. This requires that you create an "issuance" certificate in PingOne, and then publish the certificate..
Steps
-
Create an issuance certificate in PingOne, following the instructions in Adding a certificate and key pair in the PingOne documentation. When creating the certificate, set the Usage Type to Issuance and for the Signature Algorithm select SHA256withRSA.
-
Publish the issuance (CA) certificate to Active Directory:
certutil -dspublish -f
<CA certificate filename>NTAuthCA
-
To verify that the certificate was published, run the following command and make sure that you see the CA certificate in the list:
certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=
<domain name>"
-
Import the CA certificate in the Group Policy Management Console (GPMC) in order to publish the CA certificate to end users' computers:
-
Open the Group Policy Management Console (GPMC).
-
Locate the relevant domain.
-
Locate the group policy you will be using.
-
Under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, select Trusted Root Certification Authorities and import the CA certificate.
-