Hy, I want to build a Subordinate CA but using a different validity period. As you know the default it's 5 years (SubCA template), and I want to make it 10 years. So before I installed the Subordinate Certification Authority on the second server I created a capolicy.inf file and put put this in: [Version] Signature="$Windows NT$" [RequestAttributes] CertificateTemplate = MySubCA On the Root CA I duplicated the defaut certificate and name this MySubCA with a period of 10 years, then publish this certificate on the certificate templates. Now I install my Subordinate CA and save the request file, went to Root CA and issue the certificate, but the new certificate period it's two years. I oppened the certificate an looked at details and the certificate template that issue this one it's ok is the one I created earlier. I can't make this work until a issue the command on the Root CA: certutil -setreg CA\ValidityPeriodUnits 10 But now all my certificate will have 10 years validity. So my question as you can asume is: How can I make this work using capolicy.inf file and the new template, without modifying the registry Thanks

The Root CA should only ever issue Subordindate CA certificates, so the setting of 10 years you describe will only affect issued subordinate CA certs and will not affect certificates issued by the actual subordinate CA itself. The subordinate CA will normally have a corresponding ValidityPeriodUnits setting of its own... Cheers JJ Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

here you will get all answers: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=50 > How can I make this work using capolicy.inf file and the new template, without modifying the registry you can't My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

So if I need to issue certificates to multiples Subordonate CA's with different validity periods I will need to change the registry settings every time I issue a certificate; now this is when I say... damn

So if I need to issue certificates to multiples Subordonate CA's with different validity periods I will need to change the registry settings every time I issue a certificate; now this is when I say... damn yes.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki