Certificate Expiration is set for only 1 year for issued certificates in a Windows 2008 Active Directory environment.
Certificate Expiration is set for only 1 year for issued certificates in a Windows 2008 Active Directory environment.
when I open certificates I have created, the don't expire for 60 years as designed. when I created my duplicate templates in Windows 2008 Certificate Services, my duplicate templates are set for 60 years for computers as designed.
When I deploy my certificate with my templates the workstations and servers show they are only valid for one year?
What gives?
I also noticed when I ran certutil -dspublish on my root certificate, and set it as my trusted RootCA in Group Policy Trusted root authorities, - that my domain controllers only have 1 year before the cert must be renewed. I want this to be 60 years as well.
How do I fix this?
September 20th, 2011 11:10pm
1. 60 years is way way too long (even with really long keys)
2. What is the validity period of your CA's certificate. A CA cannot issue certificates beyond its remaining validity period. So even if you build it with a 60 yer validity period, after one year, it can only issue certificates valid for 59 years. After
two years, it can only issue 58 year valid certificates (hypothetically of course).
3. You need to run two commands, to change what I call the governor on the CA .
certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\ValditiyPeriodUnits 60
then restart certificate services.
May I recommend something more typical, such as a five year max (for high assurance certificates) and two years for the certificates you have described (for computers and DCs)
Brian
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2011 3:26am
Validity period for my CA is 65 years. If I open my certificate it shows an expiration date 60 years out.
When I published my Root Certificate to AD certutil -dspublish and added it to my Trusted Root Authority Certificates in Group Policy, probably didn't need to do both as I understand it, I opened Certificate Authority in MMC and looked under Issued Certificates,
My domain controllers showed up but with an expiration date of just one year. I expected 60 years not one year.
I created duplicate templates from my computer template, set the validity period to 20 years, and renewal period to 10 years. I then created a Global group and assigned several computers to the template and published the template to AD. On my workstation
as a test I opened MMC and Cetificates then requested a certificate from the template I assigned to it. I then checked Issued Certificates on my CA / Issued Certificates and these workstations showed a one year expiration date not 20 years.
If the certificates would renew automatically at the end of a year then I guess it would not matter, but I did not expect to see just one year before they expire.
Do I need to publish anything for the CRL?
I am trying to make sure I get these issues settled before I create a self signed SSL certificate for my Windows 2003 server running Tomcat 6 that my workstations will access. I have the Tomcat 6 document relating to generating a request from command line
and having my CA sign it then reimport it back. Since this will be a major production server, I don't want things expiring in a year with end users calling me they cannot connect to the server. I want something in place that does not expire for 5 years.
September 21st, 2011 6:57am
On Wed, 21 Sep 2011 03:57:16 +0000, Lanman777 wrote:
If the certificates would renew automatically?at the end of a year then I guess it would not matter, but I did not expect to see just one year before they expire.
Do I need to publish anything for the CRL?
Brian has already provided you with the answer.
The maximum validity of an issued certificate is the lesser of:
1. The remaining validity period of the parent CA's certificate.
2. The validity period in the certificate template (if using an Enterprise
CA).
3. The validity period in the registry on the CA.
And Brian is correct, 60 years is far too long a validity period.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Hackers have kernel knowledge.
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2011 11:49am
Ok, thanks I really appreciate it! I will run the following command on my Issuing CA server on my domain.
certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\ValditiyPeriodUnits 10
then restart certificate services.
Since I went with the 2 tiered approach, creating the ROOTCA with a stand-alone server, then set up an Enterprise CA on my domain as my issuing CA. What I don't understand is after running the above command, how if anything comes into play with
my stand-alone CA that I created my RootCA on? I just leave it off and run the above command on my domain?
September 23rd, 2011 5:06am
No, you run the command on each CA. It affects the registry of the CA that you run the command on.
So, if you want the 2nd tier to have a 15 year validity period you would run
certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\ValditiyPeriodUnits 15
prior submitting the renewal request for the subordinate CA certificate .
Brian
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 7:07am