Need to renew sub CA cert for longer validity period than default of 5 years
I have a windows 2008 domain with a root ca (online) and sub ca. My root cert was 5 years and my sub was 2 years. I'd like to renew the root for 20 and the sub for 10 and then issue 5 year smartcard certs. So, I created a capolicy.inf file and renewed my root CA and it took the new validity period of 20 years. I did the same on the subca with a capolicy.inf setting of 10 years but no matter what I do the period is five years everytime I gen the cert. I used the same capolicy.inf and also did ‘certutil –setreg validityperiodunits 10. I think this is related to the Subordinate Certificate Template on the CA is set to 5 years and is not editable. If I Duplicate that template, change it to 10 and then try to ISSUE the template, this new template is not in the list on the root. It is available to issue on the SubCA.year validity. If I duplicate the template and try to issue the template on the rootCA, the edited template doesn’t show in the list of templates to be issued. Any ideas?
April 14th, 2011 3:45pm

Below article might be hepful. http://forums.techarena.in/active-directory/1290288.htm http://support.microsoft.com/kb/254632 Previous Discussion. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/3310ac17-9f86-49a2-ade7-bdf3cc1fc153/ Regards Awinish Vishwakarma| MY Blog Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2011 2:46am

run this on the root ca: CERTUTIL -setreg CA\ValidityPeriodUnits xx replace the xx with the actual number of years you would like it to issue the certs for. restart the root CA aftewards. onrej.
April 15th, 2011 10:54am

My enterprise root CA has the validity period of 20 years. My problem is that I can't renew the subca cert for more than five years. I think it is because of the template. I cannot issue the template to the root CA, only to the subca and the rootca is what has to issue the cert to the subca. I can only issue the original v1 template (5 years, not editable) to the root CA, not the edited v2 template (10 years). I read something about needing 2008 Enterprise for this to work? My Enterprise RootCA is 2008 STD and my SubCA is 2008 Enterprise. My root is online, not offline if that matters. If I don't issue a subca cert template to the rootca, the subca cert renewal fails. So I need help figuring out how to issue a template to my rootCA with a longer validity period (10 years).
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2011 3:57pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics