If there is not yet a certificate for the KDC server that you will be using, you will need to generate one.


The KDC certificate is used as part of the Kerberos PKINIT mutual authentication mechanism. If you already have a KDC certificate installed on your Active Directory Domain Controllers, you don't need to perform this task

  1. Create an .inf file containing the following information:
          subject = "CN=<hostname>"
          KeyLength = 2048
          MachineKeySet = TRUE
          Exportable = FALSE
          RequestType = PKCS10
          SuppressDefaults = TRUE
          ;Note is the OID for a SAN extension.
 = "{text}"
          continue = "dns=<DNS hostname>"

    For more information on the contents of .inf files for the certreq command, see Certreq in the Microsoft documentation.

  2. Generate a certificate signing request from your KDC server by running certreq -new '<path to the .inf file>' 'kdc.req'.
  3. In the PingOne admin console, open the application that you created for passwordless Windows login.
  4. Click the Configuration tab of the application.
  5. Scroll down to the Certificate Based Authentication section.
    Screen capture of the Certificate Based Authentication section
  6. For the KDC certificate signing request that you created previously with the certreq command:
    1. Set the number of days until the certificate should expire.
    2. Click Upload request and Issue Certificate to have the certificate issued.

      The KDC certificate does not have to be signed by the issuance certificate that you created with PingOne. Any valid certification path will work.

  7. Install the KDC certificate on your server:
    certreq -accept -machine -f <KDC certificate filename>