Hello, I have been tasked with finding a way to re-issue our smart card certificates. First, our smart card certificates are based off of the built-in smart card user template. My understanding is that a version 1 template cannot be renewed. Instead, I need to supersede the template with a version 2 template and enable autoenrollment. Is this correct? Secondly, our smart card CA cert is set to expire soon. We would like to get a CA cert with a longer validity period. The question here is twofold: is it possible to renew a cert to have a longer validity period? Or do we have to re-make the cert? Also, In the event of having to re-make the cert, is it possible to have two CA certs on the same CA? I ask because if it is not, autoenrollment doesn't appear to be an option as we will have to revoke the current CA cert, rendering the existing smart card certs invalid. It is my understanding that using the pre-existing valid cert to sign the new cert is a dependency of autoenrollment. Is this correct? Any input is greatly appreciated. Thank you!

> First, our smart card certificates are based off of the built-in smart card user template. My understanding is that a version 1 template cannot be renewed. Instead, I need to supersede the template with a version 2 template and enable autoenrollment. Is this correct? yes. Don't forget to assign Autoenroll permission on new custom template. > is it possible to renew a cert to have a longer validity period? yes, it is possible. For Root CAs: Create (or modify existing) CAPolicy.inf file in %systemroot% folder on CA server. Create (or locate existing) section named [certsrv_server]. Create (or modify existing) paramters as follows: [certsrv_server] RenewalValidityPeriodUnits = 10 RenewalValidityPeriod = years For intermediate CAs: make the following change on upper-level CA: certutil -setreg ca\ValidityPeriod Years certutil -setreg ca\ValidityPeriodUnits 10 If it is Enterprise CA, you need additionally modify Root Certification Authority template in General tab. In the given examples new CA certificate validity period should be expected 10 years. After this right-click on required CA (in certsrv.msc MMC snap-in), click All Tasks and click Renew CA certificate.http://en-us.sysadmins.lv

Vadims, Thank you so much!