The scenario i passed by recently was when a user duplicated one of the templates and changed the Validity from the default 2 Years to 4 Years and issued the new Certificate however the issued certificate still reads 2 Years. This can be due to one of two reasons
- The CA certificate period /Remaining Period (CA cannot issue a certificate that is longer than its own CA certificate) is less than the user certificate period. You cannot issue a user certificate which is 10 Years valid if your Root CA is 5 years only.
- The default Validity Period that is allowed by CA (defined in CA reg)
To check for the CA Certificate period/Duration, you need to do the following
- Open the CA Console
- Right Click on the CA - Properties
- From the General TAB click View Certificate and check the duration.
If the CA Remaining duration is less than the required user certificate duration then you need to increase the CA value and renew the CA certificate as follows:
- Configure CAPolicy.inf that directly controls CA certificate.
- Go to C:\Windows Folder, find the file CAPolicy.inf
- Change the "RenewalValidityPeriodUnits" value to the appropriate period (10 or 15 Years)
- Restart the CA Service
- Renew the CA Certificate (Right Click on the CA - All Tasks - Renew CA Certificate)
If the CA Period/Duration is fine and longer than the user certificate need then we need to check the default Validity Period in the CA Registry by doing the following:
- Open Admin CMD on the CA server and type certutil -getreg ca
- Check the ValidityPeriodUnits which refers to the maximum period that this CA can issue. You can define this value according to your own requirements, but it won’t exceed the lifetime of CA.
- From the Same CMD run certutil -setreg ca\ValidityPeriodUnits 5 (This will increase the validity to 5 years)
- Stop and restart CA service.
Now try again to Enroll certificate again from client to check the validity period.
2 Comments
