Generating a KDC certificate
If there is not yet a certificate for the KDC server that you will be using, you will need to generate such a certificate.
About this task
The KDC certificate is used as part of the Kerberos PKINIT mutual authentication mechanism. If you already have a KDC certificate installed on your Active Directory Domain Controllers, there is no need to carry out the steps listed here.
Steps
-
Create an .inf file containing the following information:
[newrequest] subject = "CN=<hostname>" KeyLength = 2048 MachineKeySet = TRUE Exportable = FALSE RequestType = PKCS10 SuppressDefaults = TRUE [Extensions] ;Note 2.5.29.17 is the OID for a SAN extension. 2.5.29.17 = "{text}" continue = "dns=<DNS hostname>"
In the example above, <hostname> and <DNS hostname> should be replaced with the FQDN of the domain controller server, for example, servername.example.com. For more information on the contents of
.inf
files for thecertreq
command, see the certreq documentation. -
Generate a certificate signing request from your KDC server by running the command:
certreq -new ‘`<path to the .inf file>[.codeph]`’ 'kdc.req'
-
Go to the PingOne console, and open the application that you created for passwordless Windows login.
-
Click the Configuration tab of the application.
-
Scroll down to the Certificate-based authentication section.
-
For the KDC certificate signing request that you created earlier with the
certreq
command:-
Set the number of days until the certificate should expire.
-
Click the Upload request and Issue Certificate button to have the certificate issued.
The KDC certificate does not necessarily have to be signed by the issuance certificate that you created with PingOne. Any valid certification path will work.
-
-
Install the KDC certificate on your server:
certreq -accept -machine -f
<KDC certificate filename>You must install the KDC certificate on each Active Directory Domain Controller that will be used to authenticate users with Windows Login - Passwordless.