How to change root certificate key's length and validity period
Hi Gents,I have two tier CA Windows 2003 CA. At the moment root and subroot certs have 1024bit keys and 2 years valid period.Is there a way to change root certs keys length up to 2048 and validity period up to 10 years?I would like to do it before these certs will be expired and renewed.How to do it ? Can you please shed lights on it ? Or direct me to well articles.Thanks
February 1st, 2010 7:15pm
You will need to create or edit existing CAPolicy.inf file and put the following strings:[certsrv_server]renewalkeylength=2048RenewalValidityPeriodUnits=10RenewalValidityPeriod=yearsplace CAPolicy.inf file to %systemroot% folder. If your Root CA is standalone make sure if validity period for issued certificates is set for at least 10 years:certutil -setreg CA\ValidityPeriodUnits 10certutil -setreg CA\ValidityPeriod "Years"whne you renew CA certificate select new key generation.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2010 9:47pm
If your Root CA is standalone make sure if validity period for issued certificates is set for at least 10 years:certutil -setreg CA\ValidityPeriodUnits 10certutil -setreg CA\ValidityPeriod "Years"whne you renew CA certificate select new key generation.
http://www.sysadmins.lv
This not required as it only affects certs that the CA issues (that is SubCA certs) not the lifetime of renewals for the root CA cert.Paul Adare
CTO
IdentIT Inc.
ILM MVP
February 1st, 2010 10:08pm
Yes I know. This is necessary to issue certificate for subordinate CA from standalone CA for required period.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2010 10:27pm
Thanks Gents.I will do it on root CA for subordinate cert.How to do that for root cert ? Is there a way ?
ps. At the moment I have two choice. Upgrade/migrate the existing PKI infrastructure to R2 CS or install a new enterprise PKI.
February 2nd, 2010 12:17pm
For the root cert use the CAPolicy.inf settings and then renew the certificate with a new key pair.Paul Adare
CTO
IdentIT Inc.
ILM MVP
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2010 12:31pm
>certutil -setreg CA\ValidityPeriodUnits 10>certutil -setreg CA\ValidityPeriod "Years">This not required as it only affects certs that the CA issues (that is SubCA certs) not the lifetime of renewals for the root CA certCA service must be restarted on the Root CA or you will have 1 year (by default) certificates.
February 10th, 2010 6:01pm