I've got a root CA installed using Windows Server 2008 R2 along with an intermediate CA. I've extended the validation period on each server to 10 years, and have verified this. I've setup a new certificate template, and verified that it's validation period is set to 10 years. However, when I do request a certificate, it only assigns it for 3 years (actually, it's like 2 years and 10 months). I can't seem to find the problem. Has anyone run into this before?

Hello, Please post in Security forum. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Thanks

Hi, Please note that a CA cannot issue a certificate with a longer validity period than its own CA certificate. The following article could be helpful for your work: How to change the expiration date of certificates that are issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority http://support.microsoft.com/kb/254632This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks, so my root CA defintely seems to be the issue. When I renew that certificate though, it won't renew for more than 5 years. I've aleady extended the validation period via command line and verified registry settings. Is there some other setting that needs to change? It looks like the root certificate authority is generating a cert from the Cross Certification Authority template. I also tried modifying that to a longer period, but no change.

I think you need to verify *all* settings that affect validity period of the issued certificates: 1) The remaining validity period of the root CA certificate. As Joson stated, you cannot issue certificate beyond the remaining lifetime of the issuing CA 2) Are you sure you have checked settings?? Can you please post what the values are for: certutil -getreg ca\ValidityPeriod certutil -getreg ca\ValidityPeriodUnits 3) What is the validity period for the subordinate CA and the Cross CA certification Authority templates. If this is an enterprise CA, a normally submitted request would use SubCA, not Cross CA Somewhere in these settings is your issue Brian

The SubCA template is using 5 years, and cannot be changed. If I duplicate the template, and enable it, the root Enterprise CA still renews with a 5 year certificate. It doesn't ask me which template I'd like to use. Is there another process that I should be using for the Root CA when trying to renew/extend the root certificate lifetime?

Have you made the correct settings in the capolicy.inf It must define the renewal validity period: The pertinent lines are (for example, renewing at 20 years) [certsrv_server] RenewalKeyLength=2048 RenewalValidityPeriod=20 RenewalValidityPeriodUnits=Years Brian

No, I did not realize that was a requirement. I will make the change and test again later this evening. I'll report back then.

Ok, progress! This above worked for my root CA, but it doesn't work for my intermediate CAs. I've made sure that the new root ca has propagated to the intermediate authorities. Here is the capolicy file on the intermediate CAs. Is there something I need to change here? [Version] Signature= "$Windows NT$" [PolicyStatementExtension] Policies = AllIssuancePolicy Critical = FALSE [AllIssuancePolicy] OID = 2.5.29.32.0 [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=15

The renewal period on a subordinate CA is the lesser of: 1) The requested renewal period in the subordinate CA's capolicy.inf file 2) The combination of ValidityPeriod and ValidityPeriodUnits at the parent CA 3) The remaining lifetime of the certificate at the parent CA. 4) The validity period of the Subordinate CA certificate template (if you are using an enterprise root CA) My guess is that either item 2 or item 4 is the cause of your problem Brian

It sounds like my issue is number 4. I cannot change the length of the Subordinate CA template. It's greyed out, and if I create a new template that duplicates that one, I'm never prompted to use it. 1-3 are definitely not the issue. How can I resolve number 4?

You will need to create a V2 certificate template (based on the Subordinate CA V1 certificate template) and extend its validity period I usually do not recommend using an enterprise CA as the root CA. Best practices prescribes using a standalone CA. Brian

I've already done that. I've got a second template, but when I renew the certificate from the sub CA, it doesn't prompt me to use that template, it just uses the other. And why would you use a standalone instead of an Ent CA?

PLease google for PKI best practices or read my book. Too long of an answer for this forum Brian

I will do that today. But what about the Sub CA issue? How does it know to pick up on the new template I created? It doesn't seem to recognize it.

You need to submit the request and designate the certificate tempalte You can use certreq -submit and designate the certificate template name along with the request file Brian

If we have a certificate template with a validity period of 1 year is it possible to supply a different (lesser) validity period like 6 months or 8 months on a percertificate basis while generating the certificate. That is generate certificates with custom validity period which are lesser than one year.