October 7 2011

Extend the validity period of a Certificate Authority certificate

During a new deployment of a Certificate Services, I needed to increase the validity period of the CA certificate issued from the root (and offline) CA to the issuing CA (online and domain joined). By default this is only valid for 1 year. After unsuccessful hunting around the GUI options, I realised that this is going to be a registry change:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesCertSvcConfiguration
Find ValidityPeriod. Set the value one of the following – Days, Weeks, Months or Years.
Find ValidityPeriodUnits and set this to the numeric value that you want.
Then restart the Certificate Services NT service.

I made this change on both the root CA and issuing CA because I wanted to increase the validity period of not just the CA certificate that is issued from the root CA, but also any certificates that are issued from the issuing CA also. Be aware that validity period may also be set in the certificate template and templates supported by Windows 2000 and Windows Server 2003 Standard Edition cannot be modified. Templates supported by Windows Server Enterprise Edition (Version 2 templates) do support modification.

There is a bit more detail here if required – http://support.microsoft.com/kb/254632.

 
 



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------


Tags: , , , , ,

Posted October 7, 2011 by danovich in category "Certificates", "Windows

Leave a Reply