Re: CA Issues 2 Year cert

From: Paul Adare - MVP - Microsoft Virtual PC (padare_at_newsguy.com)
Date: 12/15/04

• Next message: Roger Abell: "Re: Reasons and examples for security"
• Previous message: TKLOSE: "CA Issues 2 Year cert"
• In reply to: TKLOSE: "CA Issues 2 Year cert"
• Next in thread: TKLOSE: "Re: CA Issues 2 Year cert"
• Reply: TKLOSE: "Re: CA Issues 2 Year cert"
• Reply: TKLOSE: "Re: CA Issues 2 Year cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 15 Dec 2004 09:03:07 -0500

In article <141A0811-58CB-4C2C-82ED-561CA4657759@microsoft.com>, in the
microsoft.public.security news group, =?Utf-8?B?VEtMT1NF?=
<TKLOSE@discussions.microsoft.com> says...

> I created a template, from the web server template, on my enterprise CA.
> I set it for 6 Years, so it can be used for my Cisco ACS server.
> The root is good for 20 years.
>
>
> When I request the certificate, it shows up as a 2 year certificate!
>
> Whats wrong?
>

There are 3 things that determine the maximum lifetime of a certificate:

1. The remaining lifetime of the issuing CA (which maybe less than it
would appear as a subordinate CA cannot have a lifetime longer than any
parent CAs in the chain.
2. The value specified in the template.
3. The value specified in the registry.

The shortest time wins. The default value in the registry is 2 years.
You can confirm this with the following commands:

certutil -getreg ca\ValidityPeriod

and

certutil -getreg ca\ValidityPeriodUnits

It will show Years for the first and 2 for the second. To change it, you
can issue the following command:

certutil -setreg ca\ValidityPeriodUnits 6

and then restart Certificate Services and issue a new certificate.

-- 
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

---

• Next message: Roger Abell: "Re: Reasons and examples for security"
• Previous message: TKLOSE: "CA Issues 2 Year cert"
• In reply to: TKLOSE: "CA Issues 2 Year cert"
• Next in thread: TKLOSE: "Re: CA Issues 2 Year cert"
• Reply: TKLOSE: "Re: CA Issues 2 Year cert"
• Reply: TKLOSE: "Re: CA Issues 2 Year cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Extend certificate validity time on Windows Standard CA ... The lifetime remaining for the issuing CA's certificate. ... The value in the certificate template. ... The registry entries described in the KB article you posted. ... certutil -getreg ca\validityperiodunits ... (microsoft.public.windows.server.security) Re: Cannot request computer certificate. ... I cannot get any type of certificate from the MMC. ... > As far as certutil - ping. ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ... (microsoft.public.windows.server.security) Re: CAPI2 error 80093005 ... It's not a Baltimore PKI... ... It produces a DER encoded certificate and I use certutil ... >> I'm not using the cert server 2.0 but another PKI! ... (microsoft.public.inetserver.iis.security) Standalone Root CA ... AIA to a location within our AD and one on a web server. ... certificate and published a new CRL. ... certutil -dspublish to import the AIA and CDP information into AD. Used ... (microsoft.public.windows.server.networking) Re: Key pair & Certificate lifetimes ... > Are the public-private key pairs supposed to have the same lifetime as ... certificate lifetime ... expected lifetime of the private key related to the public ... The person involved could have a credential and the relying party ... (comp.security.misc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)