Hello, i am wondering how to sign certificate with custom validity period using Enterprise CA. There is no problem with Standalone CA, validity period can be set with "ValidityPeriodUnits"registry value, but it don`t work with Enterprise CA. I am trying to sign CSR with a command: certreq -submit -attrib "CertificateTemplate: WebServer" certificate_request.der it makes certificate valid for only 2 years.

you need to configure template validity period. Open certtmpl.msc, double-click on required template (in your case Web Server) and in general tab change validity period setting. After this resubmit request.http://en-us.sysadmins.lv

Just to add to Vadims answer. 1) You need to work with a V2 certificate template to set a custom validity period. The WebSErver certificate template is a v1 template and is hardcoded to the lesser of two years or the ValidityPeriod/ValidityPeriodUnits registry settings (or the remaining lifetime on the enterprise CA certificate). 2) The default on an enterprise CA for the ValidityPeriod/ValidityPeriodUnits registry setting is two years. If you want to issue certificates with a great validity period, you must reset the registry values, and restart Certificate Services Brian

i have dublicated WebServer template, edited it and extended it validity and usig it for signing. The "ValidityPeriodUnits"registry value also must be extended. Thanks for the thoughts.