Re: Extend Root CA cert lifetime
- From: "Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx>
- Date: Thu, 31 Jan 2008 11:33:29 -0600
You can extend it by defining the renewal validity period in the capolicy.inf
There is a best practices whitepaper available at www.microsoft.com/pki
This is also covered in my PKI book (referenced on the same page)
Brian
"tman" <tony.barrett@xxxxxxxxxx> wrote in message news:4FB21733-5E8B-44EA-97D3-E3F321CA520A@xxxxxxxxxxxxxxxx
We have a local root CA that has a lifetime on its issuing certificate that runs up until mid 2010. The cert lifetime is currently 5 years. Our subordinate issuing CA issues most of the certs onsite, but that can only issue certs up to the lifetime of the root CA. Although this works in most instances ok, I now realise as we're only issuing internally, a much longer lifetime on the root CA (and subsequently the sub CA) would have been better. I'd like to extend the lifetime of the main root CA to 15 years, and the sub CA to 10 years without causing any interruption to the cert issuing process.
Although I know how to renew the issuing CA certificates, I can't see a way to extend the lifetime, so when I next renew the root CA cert, it will be valid for 15 years and not 5. I'd like to do this by renewing (and not re-requesting) root certs as well (and keep the same key-pair).
Both CA's run Win2k3 Enterprise.
Is this possible, and if so, could someone explain (or point me in the direction of a document which does) how to do this.
TIA
.
- Prev by Date: SAMR named pipe
- Next by Date: AD CS 2008 - issuing IPSEC certs from a stand-alone CA:
- Previous by thread: SAMR named pipe
- Next by thread: AD CS 2008 - issuing IPSEC certs from a stand-alone CA:
- Index(es):
Relevant Pages
|
