Re: renew CA certificate

• Previous message: Paul Adare: "Re: IIS 6 behavior on checking clients' certificates (again)"
• In reply to: Carma Trepp: "renew CA certificate"
• Next in thread: Carma Trepp: "Re: renew CA certificate"
• Reply: Carma Trepp: "Re: renew CA certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 19 Sep 2005 09:24:16 -0500

In article <eIOUj3RvFHA.3932@TK2MSFTNGP15.phx.gbl>,
only_n_groups_account_but_works@yahoo.de says...
> Hi all
>
> When I renew the CA certificate, I can`t specify the period of validity.
> How can I do that?
>
> Thanks.
>
It depends on whether the CA is a root CA or a subordinate CA.
If it is a root CA.

1) Create or edit %windir%\capolicy.inf
2) Add the following content, for example, to renew with a 10 year
validity period and a 2k key

[Version]
Signature="$Windows NT$"

[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=10
RenewalValidityPeriod=years

** There are many other entries that are required for a nt to you I am
just focusing on the lines pertinent to your question

3) Renew the certificate

If it is a subordinate CA certificate, then you must configure the
parent CA to define the subordinate CA's validity period. Note that you
can only issue a certificate with a validity period less than the
remaining validity period of the parent CA. To set the validity period
for a subordinate CA, add the following lines to a batch file and run.
This example sets the lifetime to 5 years.

::Set Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 5
certutil -setreg CA\ValidityPeriod "Years"

HTH,
Brian

• Previous message: Paul Adare: "Re: IIS 6 behavior on checking clients' certificates (again)"
• In reply to: Carma Trepp: "renew CA certificate"
• Next in thread: Carma Trepp: "Re: renew CA certificate"
• Reply: Carma Trepp: "Re: renew CA certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]