Request Smartcard Logon certificates for more than 2 years from Certificate Authority

Dear all,

I have setup a Certificate Services in a Windows Server 2008 R2 domain and I request certificates via the CA webpage

http://ipofdomainserver/certsrv using the SmartCard logon custom template.

The problem is that my certificates are only valid for 2 years even though when I created my custom Smartcard logon I selected for validity period 5 years. 

I read in documentation that issued certificates cannot have a greater validity than the root that signed them.

What and where I should modify to be able to request certificates from the template for more years than standard 2 ?

Ps: WINSC-CA is valid for 5 years. Should I generate a new WINSC-CA ? How ?

February 10th, 2015 3:17pm

You are correct when you said that issued certificates cannot have a greater validity than the root that signed them.

To change the expiration date, you can give a try to that: https://support.microsoft.com/kb/254632?wa=wsignin1.0

If this does not help then you can ask them here: https://social.technet.microsoft.com/Forums/en-US/home?category=migratedforums&filter=alltypes&sort=lastpostdesc

Free Windows Admin Tool Kit Click here and download it now
February 10th, 2015 4:15pm

Thank you for your answer.

I was able to change the validity up to 4 years by changing both the registry key you mentioned HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod and in ConsoleRoot\Certificate Templates\Smartcard Logon Custom the Validity Period. Both settings must have the same number.

SmartcardLogon Custom is a custom template out of Smartcard logon one by using Duplicate in Console -> Certificate Templates.

Also Certitficate services must be restarted for this to work.

Now I have the following questions:

1) What is happening after 4 years ? The Root CA will only have 1 year validity period left, will I only be able to generate certicates with 1 year validity ?

2) The root CA renews itself every 5 years ?

3) How can I make a root CA for more than 5 years ?



  • Edited by dragos3 2 hours 55 minutes ago
February 12th, 2015 2:08am

Hi dragos3,

If a CA's certificate expires, the CA can no longer provide certificate services. Before the CA certificate expires, you can use the Certification Authority console to renew the CA to provide uninterrupted certificate services. The interval that is required for CA renewal depends on the certificate life cycle that you designed for the public key infrastructure. You can refer the following KB to realize the detail setps of how to renew it.

Renewing Certification Authorities

https://technet.microsoft.com/en-us/library/cc962077.aspx

Renewing a certification authority

https://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx

Im glad to be of help to you!

Free Windows Admin Tool Kit Click here and download it now
February 12th, 2015 3:16am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics