Creating an issuance certificate in PingOne - PingID

PingID Administration Guide

bundle
pingid
ft:publication_title
PingID Administration Guide
Product_Version_ce
PingID
category
ContentType
Product
Productdocumentation
pingid
ContentType_ce
Product documentation

The PingID Windows Login - Passwordless solution uses Certificate-Based Authentication (CBA), and therefore a certificate is required for each user that will be logging in. This requires that you create an "issuance" certificate in PingOne, and then publish the certificate..

  1. Create an issuance certificate in PingOne, following the instructions in Adding a certificate and key pair in the PingOne documentation. When creating the certificate, set the Usage Type to Issuance and for the Signature Algorithm select SHA256withRSA.
  2. Publish the issuance (CA) certificate to Active Directory: certutil -dspublish -f <CA certificate filename> NTAuthCA
  3. To verify that the certificate was published, run the following command and make sure that you see the CA certificate in the list: certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>"
  4. Import the CA certificate in the Group Policy Management Console (GPMC) in order to publish the CA certificate to end users' computers:
    1. Open the Group Policy Management Console (GPMC).
    2. Locate the relevant domain.
    3. Locate the group policy you will be using.
    4. Under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, select Trusted Root Certification Authorities and import the CA certificate.