Re: Validity period of certificates is not accepted anymore
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 11/30/04
- Next message: Sebastian Rieger: "Re: Validity period of certificates is not accepted anymore"
- Previous message: David Cross [MS]: "Re: Is Win 2003 Cert Services cluster aware?"
- In reply to: Sebastian Rieger: "Re: Validity period of certificates is not accepted anymore"
- Next in thread: Sebastian Rieger: "Re: Validity period of certificates is not accepted anymore"
- Reply: Sebastian Rieger: "Re: Validity period of certificates is not accepted anymore"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 05:33:07 -0800
you should be able to remove the "include symmetric algortihms" checkbox in
the template which will enable to CA to not require those extensions in the
request:
Windows Server 2003 certificate templates whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. Top Whitepapers: Auto-enrollment whitepaper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx Best Practices for implementing Windows Server 2003 PKI: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Troubleshooting Certificate Status and Revocation whitepaper: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx "Sebastian Rieger" <sebastian.rieger@gwdg.de> wrote in message news:%2343Hiav0EHA.2572@tk2msftngp13.phx.gbl... > David Cross [MS] schrieb: >> The CA policy module will always truncate the validity of an issued cert >> to be within the lifetime of its own validity period. You must renew the >> CA with a longer lifetime to avoid this. >> > > Thanks for your help! The feature of reducing the lifetime of a > certificate is great! I renewed the ca certificate though, to avoid having > users register their certificate a short time before the ca certificate > expires. I've got two valid CA certificates now (same key, different life > time) which seems to work fine even with the CRL etc. > > Thanks to you I now know that there seems to be no registry key or the > like, to avoid the life time from being cut down. > > I've got a new problem now, though! The life time of the certificate is > accepted (or shortened) by the policy module, but it states that there are > no SMIME capability extensions set. There used to be an extension for > this, but right now Netscape / Mozilla requests lack it. > > The policy modules rejects all requests of our users, complaining about > the lacking extension (0x80094805 (-2146875387)). I couldn't find anything > in TechNet or on the Microsoft webpage. > > Strange thing is, requests sent in by an Internet Explorer are accepted by > the policy module. They ought to be constructed on the client side, using > Xenroll.dll, right? Selecting them from the pending request list, and > showing their extension works (the extensions contain the four encryption > types of SMIME capabilities, which are also set in defaultSMIME registry > key). > > Any help would (again) be greatly appreciated! Thanks again, for your > advice! > > Sebastian Rieger
- Next message: Sebastian Rieger: "Re: Validity period of certificates is not accepted anymore"
- Previous message: David Cross [MS]: "Re: Is Win 2003 Cert Services cluster aware?"
- In reply to: Sebastian Rieger: "Re: Validity period of certificates is not accepted anymore"
- Next in thread: Sebastian Rieger: "Re: Validity period of certificates is not accepted anymore"
- Reply: Sebastian Rieger: "Re: Validity period of certificates is not accepted anymore"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
