Validity period of certificate assigned by Enterprise CA
I know that I can change this period but I cannot find clear instructions on how to. Anyone can help? Thank you.
September 2nd, 2011 9:34am

certutil -setreg ca\validityperiodunits 5 certutil -setreg ca\validityperiod years net stop certsvc && net stop certsvc this will set validity period for issued certificates to 5 years. However this value is not definitive. The maximum validity period is the least value of: 1) remaining CA certificate validity period; 2) validity period specified in certificate template 3) validity period specified above.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2011 10:41am

Thank you for your reply. If I understand you correctly, it will change validity period for existing certificates? Is this correct? How do I change that all future certificates will be issued with longer validity period? Thank you.
September 2nd, 2011 10:45am

You misunderstood. It is impossible to change the validity of an existing certificate. It is a signed object and cannot be modified in any way, shape, or form. To change all future certificates, follow the instructions of Vadims. To be more specific: 1) Run the certutil commands above to change the maximum lifetime of certs issued by the CA certutil -setreg ca\validityperiodunits 5 certutil -setreg ca\validityperiod years net stop certsvc && net stop certsvc 2) Change the validity period of the certificate template(s) that you issued certificates based on 3) Ensure that all CAs in the chain have remaining validity periods > the maximum lifetime you desire Brian
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2011 12:57pm

Brian. How do I change validity period of the certificate template? It is grayed out. Thank you.
September 2nd, 2011 1:53pm

On Fri, 2 Sep 2011 17:46:35 +0000, Igor Kravchenko wrote: How do I change validity period of the certificate template?? It is grayed out. Then you're trying to modify a V1 template which you can't do. You'll need to duplicate the template, make your changes, then use the new template. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Vacuum type: A derogatory term. See "bubble memory."
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2011 2:21am

Just to add. Only Windows Server 2003/2008/2008 R2 Enterprise, Datacenter and 2008 R2 Standard support V2 (duplicated) templates.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
September 3rd, 2011 6:10am

Hello, I duplicated template. After that, I opened Certification Authority and added new template to the list of the ceritificate templates to issue. When I go to web interface to request the new certificate, the new certificate template is not on the list. What am I missing here? Thank you.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2011 12:53pm

What certificate template did you duplicate? The Web CertSrv pages only show: - User certificates - Machine certificates where the subject is provided in the request In both cases, the user logged on the /certsrv must have read and enroll permissions Brian
September 7th, 2011 2:22pm

I duplicated User certificate. I tried multiple users, including the one that I duplicated template. This user is a member of the Domain and Enterprise Admin group. None of the users work. Thank you.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2011 2:24pm

Did you goto the CA and "issue" the template? Whenever a new template is created, you need to goto the CA [or multiple CAs] and tell it to issue that template if you want any CA to issue certs for that template. Andrew
September 7th, 2011 3:06pm

I went to CA, right click on Certificate Templates and selected Certificates to Issue. After that I selected new template that I created. Now it shows under Certificate Templates section in CA. Thank you.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2011 3:10pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics