The KDC certificate is used as part of the Kerberos PKINIT mutual authentication mechanism. If you already have a KDC certificate installed on your Active Directory Domain Controllers, there is no need to carry out the steps listed here.
  1. Create an .inf file containing the following information:
            subject = "CN=<hostname>"
            KeyLength = 2048
            MachineKeySet = TRUE
            Exportable = FALSE
            RequestType = PKCS10
            SuppressDefaults = TRUE
            ;Note is the OID for a SAN extension.
   = "{text}"
            _continue_ = "dns=<DNS hostname>"
    Note: In the example above, <hostname> and <DNS hostname> should be replaced with the FQDN of the domain controller server, for example, For more information on the contents of .inf files for the certreq command, see the certreq documentation.
  2. Generate a certificate signing request from your KDC server by running the command: certreq -new '<path to the .inf file>' 'kdc.req'
  3. Go to the PingOne console, and open the application that you created for passwordless Windows login.
  4. Click the Configuration tab of the application.
  5. Scroll down to the Certificate-based authentication section.
    Win Login Passwordless - application configuration - certificate-based authentication section
  6. For the KDC certificate signing request that you created earlier with the certreq command:
    1. Set the number of days until the certificate should expire.
    2. Click the Upload request and Issue Certificate button to have the certificate issued.
    Note: The KDC certificate does not necessarily have to be signed by the issuance certificate that you created with PingOne. Any valid certification path will work.
  7. Install the KDC certificate on your server: certreq -accept -machine -f <KDC certificate filename>
    Note: You must install the KDC certificate on each Active Directory Domain Controller that will be used to authenticate users with Windows Login - Passwordless.