How to change root certificate key's length and validity period
Hi Gents,I have two tier CA Windows 2003 CA. At the moment root and subroot certs have 1024bit keys and 2 years valid period.Is there a way to change root certs keys length up to 2048 and validity period up to 10 years?I would like to do it before these certs will be expired and renewed.How to do it ? Can you please shed lights on it ? Or direct me to well articles.Thanks
February 1st, 2010 7:15pm

You will need to create or edit existing CAPolicy.inf file and put the following strings:[certsrv_server]renewalkeylength=2048RenewalValidityPeriodUnits=10RenewalValidityPeriod=yearsplace CAPolicy.inf file to %systemroot% folder. If your Root CA is standalone make sure if validity period for issued certificates is set for at least 10 years:certutil -setreg CA\ValidityPeriodUnits 10certutil -setreg CA\ValidityPeriod "Years"whne you renew CA certificate select new key generation.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2010 9:47pm

If your Root CA is standalone make sure if validity period for issued certificates is set for at least 10 years:certutil -setreg CA\ValidityPeriodUnits 10certutil -setreg CA\ValidityPeriod "Years"whne you renew CA certificate select new key generation. http://www.sysadmins.lv This not required as it only affects certs that the CA issues (that is SubCA certs) not the lifetime of renewals for the root CA cert.Paul Adare CTO IdentIT Inc. ILM MVP
February 1st, 2010 10:08pm

Yes I know. This is necessary to issue certificate for subordinate CA from standalone CA for required period.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2010 10:27pm

Thanks Gents.I will do it on root CA for subordinate cert.How to do that for root cert ? Is there a way ? ps. At the moment I have two choice. Upgrade/migrate the existing PKI infrastructure to R2 CS or install a new enterprise PKI.
February 2nd, 2010 12:17pm

For the root cert use the CAPolicy.inf settings and then renew the certificate with a new key pair.Paul Adare CTO IdentIT Inc. ILM MVP
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2010 12:31pm

>certutil -setreg CA\ValidityPeriodUnits 10>certutil -setreg CA\ValidityPeriod "Years">This not required as it only affects certs that the CA issues (that is SubCA certs) not the lifetime of renewals for the root CA certCA service must be restarted on the Root CA or you will have 1 year (by default) certificates.
February 10th, 2010 6:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics