Hello Duy,
right, Kerberos uses your Windows Domain Controller as trusted instance, and SSL/TLS requires a PKI to establish trust.
Secure Login Server can act as your SSO landscape PKI trust center. In SLS Admin Console, you can either issue PKCS#12 files or, and this is recommended, sign your ABAP server´s certification request which you got from STRUST.
-- Stephan