Re: Certificate Issue Lifetime

From: Brian Komar (bkomar@komarconsulting.com)
Date: 08/19/02

• Next message: TM: "The local policy does not allow you to login interactively"
• Previous message: Mark: ""HOW DO I" locate logged on workstations"
• In reply to: Jason Penn: "Certificate Issue Lifetime"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Brian Komar <bkomar@komarconsulting.com>
Date: Mon, 19 Aug 2002 10:20:33 -0500

In article <39ae01c24773$94801bb0$37ef2ecf@TKMSFTNGXA13>,
penn@netcom.com says...
> Where can you change the certificate issue lifetime?
>
> Specifically for the Root CA and Sub-CA's?
>
> Jason
>
For the root CA, you must designate the certificate lifetime during the
creation of the CA, or when you renew the CA certificate.

At installation, you input the certificate lifetime in the wizard.

At certificate renewal, you must create a capolicy.inf file in the
%windir% folder. In the capolicy.inf file, you must include the
following information:

[certsrv_server]
RenewalKeyLength= 2048
RenewalValidityPeriod = 10
RenewalValidityPeriodUnits = Years

This will renew the certifiate with a 2048 bit key that is valid for 10
years.

If you are setting the validity period for a subordinate CA, the
validity period is a function of two separate settings:

In short, the validity period is the lesser of the validity period of
the Subordinate Certification Authority template and the validity period
settings of the CA that issues the Subordinate Certification Authority
certificate.

At every CA in your CA hierarchy, you can define the maximum lifetime
for any certificates issued by the CA. This is done by editing two
registry entries at the CA:

HKLM\System\CurrentControlSet\SErvices\CertSvc\Configuration\<CAName>:

ValidityPeriodUnits: 5
ValidityPeriod: Years

**Note, these do not match up to the capolicy.inf settings, where Period
is the numeric and units is the time frame used. In the registry, the
units is the numeric value and Period is the time frame used.

HTH,
Brian

---

• Next message: TM: "The local policy does not allow you to login interactively"
• Previous message: Mark: ""HOW DO I" locate logged on workstations"
• In reply to: Jason Penn: "Certificate Issue Lifetime"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Windows 2003 CA 0x80092013 ... > get CA services working but now I get these errors when trying to issue ... > Certificate The certificate validity period will be shorter than the ... > period is longer than the maximum certificate validity period allowed by ... This could be for any or all of the CAs in the CA hierarchy ... (microsoft.public.security) Re: Validity period of certificates is not accepted anymore ... The CA policy module will always truncate the validity of an issued cert to ... be within the lifetime of its own validity period. ... Best Practices for implementing Windows Server 2003 PKI: ... Troubleshooting Certificate Status and Revocation whitepaper: ... (microsoft.public.platformsdk.security) Re: certutil -sign equivalent ... The validity written into a certificate is determined by two factors, ... validity period defined on the cert template ... If you want to have control over validity period per request, ... (microsoft.public.platformsdk.security) Re: certutil -sign equivalent ... "Oriane" wrote in message ... > | The validity written into a certificate is determined by two factors, ... > | validity period defined on the cert template (If the CA is Enterprise ... > | If you want to have control over validity period per request, ... (microsoft.public.platformsdk.security) Re: renew CA certificate ... > When I renew the CA certificate, I can`t specify the period of validity. ... It depends on whether the CA is a root CA or a subordinate CA. ... parent CA to define the subordinate CA's validity period. ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)