Hi, I wanted to issue user certificate from CA and got error: Error Constructing or Publishing Certificate The certificate validity period will be shorter than the User Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period We use online ent CA, how to solve this issue? Will it help if I change "ValidityPeriodUnits" in registry? thanks aurimas

please show us the output of the following commands: certutil -getreg ca\validityperiodunits certutil -getreg ca\validityperiod And what is validity period of the certificate template?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

ValidityPeriodUnits REG_DWORD = 2 CertUtil: -getreg command completed successfully. ValidityPeriod REG_SZ = Years CertUtil: -getreg command completed successfully. Validity period of the certificate template is 1 year. But on "Enterprise KPI" I see CA Certificate expiration date 2012.02.01, so it is less then in 1 year, maybe that's why I got this error. Is any way to change expiration date? thanks aurimas

Yes, that is why you got the error. Three things determine the validity period of an issued certificate: 1. The validity period of the CA's certificate 2. The ValidityPeriodUnits and ValidityPeriod reg keys 3. The template itself If the CA certificate is due to expire next month, then no certificates can be issued that are valid longer than one month. So, in your case your CA's certificate expires in less than one year, so no certificate can be issued with a validity period greater than 2012.02.01. In order to resolve this, you need to renew the CA's certificate: Creating a Certificate Renewal Strategy http://technet.microsoft.com/en-us/library/cc772847(WS.10).aspx Renew a subordinate certification authority http://technet.microsoft.com/en-us/library/cc776691(WS.10).aspx Thanks!