Creating an issuance certificate in PingOne

Use Cases

bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

The PingID Windows login - passwordless solution uses certificate-based authentication (CBA), so a certificate is required for each user that will be signing on. This requires that you create an issuance certificate in PingOne and then publish the certificate.

  1. Create an issuance certificate in PingOne.

    See Adding a certificate and key pair in the PingOne documentation.

  2. Publish the issuance (CA) certificate to Active Directory (AD):
    certutil -dspublish -f <CA certificate filename> NTAuthCA
  3. To verify that the certificate was published, run the following command and make sure that you see the CA certificate in the list:
    certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>"
  4. Import the CA certificate in the Group Policy Management Console (GPMC) to publish the CA certificate to end users' computers:
    1. Open the Group Policy Management Console (GPMC).
    2. Locate the relevant domain.
    3. Locate the group policy that you'll be using.
    4. In the Public Key Policies section, select Trusted Root Certification Authorities and import the CA certificate.