I'm trying to get a PKI operational. It will be two tier. I've got the standalone root-ca, and an enterprise-ca subordinate to that to issue certs. The enterprise-ca's certificate validity is only two years. I'd like it to be 5 or 10. Where do I control that? Do I need to duplicate certificate template called "Subordinate Certification Authority"? Do I do this on the root-ca, or the enterprise-ca which is requesting the new certificate? Or do I need to create a capolicy.inf on the enterprise-ca? I'm not clear on the relationship between capolicy.inf and templates. Does one obviate the need of using the other? Is there complete overlap with what they accomplish or only some? Thanks for any help.

I assume that you have Enterprise Root CA. By default Enterprise CAs issue certificates up to 2 years only. In order to extend this value you need to run the following commands on Root CA server: certutil -setreg ca\validityperiodunits 5 net stop certsvc && net start certsvc after this you will be able to renew subordinate CA certificate which will be valid for 5 years.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Vadims, no I do not have an enterprise root-ca, I have a standalone root-ca, and an enterprise issuing-ca subordinate to that.

No difference here. You must run these command on your Root CA server.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com