Validity period of certificate assigned by Enterprise CA
I know that I can change this period but I cannot find clear instructions on how to.
Anyone can help?
Thank you.
September 2nd, 2011 9:34am
certutil -setreg ca\validityperiodunits 5
certutil -setreg ca\validityperiod years
net stop certsvc && net stop certsvc
this will set validity period for issued certificates to 5 years. However this value is not definitive. The maximum validity period is the least value of:
1) remaining CA certificate validity period;
2) validity period specified in certificate template
3) validity period specified above.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2011 10:41am
Thank you for your reply.
If I understand you correctly, it will change validity period for existing certificates? Is this correct?
How do I change that all future certificates will be issued with longer validity period?
Thank you.
September 2nd, 2011 10:45am
You misunderstood. It is impossible to change the validity of an existing certificate. It is a signed object and cannot be modified in any way, shape, or form. To change all future certificates, follow the instructions of Vadims.
To be more specific:
1) Run the certutil commands above to change the maximum lifetime of certs issued by the CA
certutil -setreg ca\validityperiodunits 5
certutil -setreg ca\validityperiod years
net stop certsvc && net stop certsvc
2) Change the validity period of the certificate template(s) that you issued certificates based on
3) Ensure that all CAs in the chain have remaining validity periods > the maximum lifetime you desire
Brian
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2011 12:57pm
Brian.
How do I change validity period of the certificate template? It is grayed out.
Thank you.
September 2nd, 2011 1:53pm
On Fri, 2 Sep 2011 17:46:35 +0000, Igor Kravchenko wrote:
How do I change validity period of the certificate template?? It is grayed out.
Then you're trying to modify a V1 template which you can't do. You'll need
to duplicate the template, make your changes, then use the new template.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Vacuum type: A derogatory term. See "bubble memory."
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2011 2:21am
Just to add. Only Windows Server 2003/2008/2008 R2 Enterprise, Datacenter and 2008 R2 Standard support V2 (duplicated) templates.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
September 3rd, 2011 6:10am
Hello,
I duplicated template. After that, I opened Certification Authority and added new template to the list of the ceritificate templates to issue.
When I go to web interface to request the new certificate, the new certificate template is not on the list.
What am I missing here?
Thank you.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2011 12:53pm
What certificate template did you duplicate? The Web CertSrv pages only show:
- User certificates
- Machine certificates where the subject is provided in the request
In both cases, the user logged on the /certsrv must have read and enroll permissions
Brian
September 7th, 2011 2:22pm
I duplicated User certificate.
I tried multiple users, including the one that I duplicated template. This user is a member of the Domain and Enterprise Admin group.
None of the users work.
Thank you.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2011 2:24pm
Did you goto the CA and "issue" the template? Whenever a new template is created, you need to goto the CA [or multiple CAs] and tell it to issue that template if you want any CA to issue certs for that template.
Andrew
September 7th, 2011 3:06pm
I went to CA, right click on Certificate Templates and selected Certificates to Issue. After that I selected new template that I created.
Now it shows under Certificate Templates section in CA.
Thank you.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2011 3:10pm