Re: CA Issues 2 Year cert

From: TKLOSE (TKLOSE_at_discussions.microsoft.com)
Date: 12/15/04 

Date: Wed, 15 Dec 2004 06:27:03 -0800

Right On.

Would you know the registry key for this, so I may set up a GP.

"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <141A0811-58CB-4C2C-82ED-561CA4657759@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?VEtMT1NF?=
> <TKLOSE@discussions.microsoft.com> says...
>
> > I created a template, from the web server template, on my enterprise CA.
> > I set it for 6 Years, so it can be used for my Cisco ACS server.
> > The root is good for 20 years.
> >
> >
> > When I request the certificate, it shows up as a 2 year certificate!
> >
> > Whats wrong?
> >
>
> There are 3 things that determine the maximum lifetime of a certificate:
>
> 1. The remaining lifetime of the issuing CA (which maybe less than it
> would appear as a subordinate CA cannot have a lifetime longer than any
> parent CAs in the chain.
> 2. The value specified in the template.
> 3. The value specified in the registry.
>
> The shortest time wins. The default value in the registry is 2 years.
> You can confirm this with the following commands:
>
> certutil -getreg ca\ValidityPeriod
>
> and
>
> certutil -getreg ca\ValidityPeriodUnits
>
> It will show Years for the first and 2 for the second. To change it, you
> can issue the following command:
>
> certutil -setreg ca\ValidityPeriodUnits 6
>
> and then restart Certificate Services and issue a new certificate.
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>

Relevant Pages

  • Re: CA Issues 2 Year cert
    ... >> I created a template, from the web server template, on my enterprise CA. ... > certutil -getreg ca\ValidityPeriodUnits ... > and then restart Certificate Services and issue a new certificate. ...
    (microsoft.public.security)
  • RE: Certsrv and Autoenrollment problem
    ... Thank you for posting to the SBS Newsgroup. ... so it will not be instantiated on the template ... Certificate Authority snap-in will show the templates in the Certificate ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Problems requesting computer certificates on an issuing CA
    ... The exact permissions on my template are: ... I tried to manually enroll for a computer certificate based on ... CA allows the computers to request certificates. ...
    (microsoft.public.windows.server.security)
  • Re: I wish Normal.dot would mind its own business
    ... "Tony Jollans" wrote: ... Press the Windows Logo key and R together ... Press Alt+F4 to exit the registry editor. ... template, I said no all the way through to page closure. ...
    (microsoft.public.word.docmanagement)
  • Re: Error enrolling machine certs
    ... failing to enroll using Domain Controller template. ... certificate templates and to the certificate services - everything that can ... > computer as a local admin to request a computer certificate either through ...
    (microsoft.public.windows.server.security)