Is there a way to change the lifespan of the trusted root certificate issued by my Enterprise CA once its already up and running? Right now its set up for 2 years and I want to change it to 5. I know I would probably have to re-issue the trusted root cert to the clients that already have it, but this project is at a very early stage right now, so that wouldn't be too much of a problem. Would I have to re-install the CA or can I just change it? Once I've done that, can I also create a template for a Client Authentication certificate that is also valid for 5 years. Thanks

Yes. By implementing a CAPolicy.inf file, you can set the renewal period to be a period of 5 or more years. The issue with just setting it to five years, is that all client certificates are limited to the remaining lifetime of the CA certificate. For example, after 1 year, you could only issue client certs with a 4 year validity period. They day after, would be 3 years, 364 day validity periods.The following CAPolicy.inf would allow you to renew the CA certificate with a 10 year validity period, using a 2048 bit key.[Version]Signature="$Windows NT$" [certsrv_server]renewalkeylength=2048RenewalValidityPeriodUnits=10 RenewalValidityPeriod=yearsFor the five year certificate, you could duplicate Authenticated Session and allow a five year validity period. In addition, you would need to change the configuration of the CA to allow five year validity period certificates. A local Administrator would need to run the following commands at a command prompt.certutil -setreg ca\ValidityPeriodUnits 5certutil -setreg CA\ValidityPeriod "Years"net stop certsvc && net start certsvcBrian

Thanks for the quick response... So to make the changes above, I would create a file CAPolicy.inf with only the above text and put it in the C:\Windows directory. Then I would run the 3 command line commands you listed and I'd be ready to create my new 5-year client certificate template? Also, is there any downside to using a 4096 key length instead of 2048?

Hi Tim,For a few years back you should be caution using a 4096 key on the root CA server. The reason for this is/was configuring a key length of 4096 bits may cause compability problems. Certain devices for example some routers and some older software from other vendors (like old java version) cannot process keys over a certain size. So if you know, that the PKI is only used with newer equipment and software that key can be used. Personal Im still using a 2048 on the root CA and keep it offline and then I use a higher key on the Issuing CA.My capolicyfiles looks like this (some of them is not necesay in Win2K8 and some is implemented implicit if not stated):[Version]Signature="$Windows NT$"[CRLDistributionPoint]Empty=True[AuthorityInformationAccess]Empty=True[PolicyStatementExtension]AllIssuancePolicy[AllIssuancePolicy]OID=2.5.29.32.0[Certsrv_Server]RenewalKeyLength=2048RenewalValidityPeriod=YearsRenewalValidityPeriodUnits=20CRLPeriod=MonthsCRLPeriodUnits=6CRLDeltaPeriod=DaysCRLDeltaPeriodUnits=0CRLOverlapPeriod=DaysCrlOverlapUnits=10Best Regards,Bendji