Generating a KDC certificate

Generating a KDC certificate - PingID

PingID Administration Guide

bundle

pingid

ft:publication_title

PingID Administration Guide

Product_Version_ce

PingID

category

Product

pingid

ContentType_ce

Page created: 5 Sep 2021 |

Page updated: 28 Jun 2022

| 2 min read

PingId Product

If there is not yet a certificate for the KDC server that you will be using, you will need to generate such a certificate.

The KDC certificate is used as part of the Kerberos PKINIT mutual authentication mechanism. If you already have a KDC certificate installed on your Active Directory Domain Controllers, there is no need to carry out the steps listed here.

Create an .inf file containing the following information:

[newrequest]
        subject = "CN=<hostname>"
        KeyLength = 2048
        MachineKeySet = TRUE
        Exportable = FALSE
        RequestType = PKCS10
        SuppressDefaults = TRUE
        [Extensions]
        ;Note 2.5.29.17 is the OID for a SAN extension.
        2.5.29.17 = "{text}"
        _continue_ = "dns=<DNS hostname>"

Note: In the example above, <hostname> and <DNS hostname> should be replaced with the FQDN of the domain controller server, for example, servername.example.com. For more information on the contents of .inf files for the certreq command, see the certreq documentation.

Generate a certificate signing request from your KDC server by running the command: certreq -new '<path to the .inf file>' 'kdc.req'
Go to the PingOne console, and open the application that you created for passwordless Windows login.
Click the Configuration tab of the application.
Scroll down to the Certificate-based authentication section.
For the KDC certificate signing request that you created earlier with the certreq command:
1. Set the number of days until the certificate should expire.
2. Click the Upload request and Issue Certificate button to have the certificate issued.
Note: The KDC certificate does not necessarily have to be signed by the issuance certificate that you created with PingOne. Any valid certification path will work.
Install the KDC certificate on your server: certreq -accept -machine -f <KDC certificate filename>

Note: You must install the KDC certificate on each Active Directory Domain Controller that will be used to authenticate users with Windows Login - Passwordless.