Re: How to extend validity period of Sub CA

From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 10/05/05 

Date: Wed, 5 Oct 2005 09:19:06 -0500

In article <927F37D5-6B5D-4B27-B851-D00A916841BB@microsoft.com>,
alexis75@hotmail.co.uk.dont.spam says...
> I have an offline root CA(Server is Win2003 Std in A Workgroup)
> The root cert expires in 2025
> I have 2 Sub CAs in Active Directory (Servers are Win2003, member servers
> in AD)
> The sub ca certs expire in 2006
> Any certs they issue to computers in AD expire in 2006
> How do I increase the validity period for these 2 Sub CAs so the certs they
> issue expire in 2008?
>
> thanks
>
You have to start at the root CA computer and extend the validity period
of the certificates it issues. The default, as you can see is one year.

For example, to set that the root CA will issue certficates with a
validity period of 10 years, you would run the following commands at the
root CA, and then restart certificate services.

certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"

Then, you have to renew the subCA certificiates. They will now get 10
year certs (expiring in 2015).

Then you have to set the validity periods for certificates issued by the
SubCAs. If you want the max lifetime to be 5 years, you would run

certutil -setreg CA\ValidityPeriodUnits 5
certutil -setreg CA\ValidityPeriod "Years"

You must also define the certificate template that you are using to have
a validity period of 3 years. This is only possible with version 2
certificate templates and requires that the subcas are running windows
server 2003, enterprise edition.

Finally, as you have seen, the subca cannot issue certificates with
validity periods extending beyonds its validity period.

For more details see the best practices white paper available at
www.microsoft.com/pki

Brian

Relevant Pages

  • Re: Enterprise root CA not re-trusted after manually deleted
    ... published) autoenrollment queries AD for CA certs and installs them. ... CA certs in AD). ... deleted root certs can automatically return or need a manual repair. ... If root CA certificates are distributed using autonenrollment (meaning ...
    (microsoft.public.windows.server.security)
  • Re: Using Certificates with IPSEC
    ... Make sure the certs are machine certs and not user certs. ... "Brian Komar" wrote in message ... >>> same root CA, or to CAs that are trusted by the opposite endpoint. ... > 1) You have to deploy the certificates to the two endpoint computers ...
    (microsoft.public.win2000.security)
  • Re: UGH! Entourage 2008 and SSL Certificates
    ... remote.domain.com certs) to Always trust and gave my password. ... It looks to me like you imported the SSL certificates, but not the root ... MVPs are not MS employees - Les MVP ne travaillent pas pour MS ...
    (microsoft.public.mac.office.entourage)
  • Re: Slightly OT: SSL certs - best practice?
    ... Thus, I have created several certificates for Apache SSL hosts plus certificates for mail serving, etc. ... I'll probably get some "officially" signed certs. ... certificates signed by a CA that does not do a "real" verification of the requesting person by which I mean that you probably don't need to go somewhere and show some official ID to prove that you are in fact you. ... using an anon "class 1" root. ...
    (FreeBSD-Security)
  • Re: How to fix broken security in Windows 2000?
    ... mvp) post all this stuff? ... >> involved in importing security certificates. ... > and Microsoft code signing are not proof that Microsoft is writing ... > past two days you have said that certs are missing, ...
    (microsoft.public.win2000.windows_update)