Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (eMV)
  • When: 19 Aug 2013 2:56 PM
  • Last revision by (eMicrosoft Partne)
  • When: 19 Aug 2013 4:13 PM
  • Revisions: 2
  • Comments: 1
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  The Validity Period of an Issued Certificate is Shorter than Configured

The Validity Period of an Issued Certificate is Shorter than Configured

The Validity Period of an Issued Certificate is Shorter than Configured

I recently encountered couple of scenarios where one of the issued Certificates in Microsoft PKI infrastructure solution has validity period shorter than the period already configured on the template of this certificate. The main reason of changing and increasing the validity period/years for several specific certificates is to avoid frequent renewal process. 


The scenario I passed by recently was when a user duplicated one of the templates and changed the Validity from the default 2 Years to 4 Years and issued the new Certificate however the issued certificate still reads 2 Years. This can be due to one of two reasons:


  1. The CA certificate period /Remaining Period (CA cannot issue a certificate that is longer than its own CA certificate) is less than the user certificate period. You cannot issue a user certificate which is 10 Years valid if your Root CA is 5 years only.
  2. The default Validity Period that is allowed by CA (defined in CA reg)



To check for the CA Certificate period/Duration, you need to do the following

  1. Open the CA Console
  2. Right Click on the CA - Properties
  3. From the General TAB click View Certificate and check the duration.





If the CA Remaining duration is less than the required user certificate duration then you need to increase the CA value and renew the CA certificate as follows:


  1. Configure CAPolicy.inf that directly controls CA certificate.
  2. Go to C:\Windows Folder, find the file CAPolicy.inf
  3. Change the "RenewalValidityPeriodUnits" value to the appropriate period (10 or 15 Years)
  4. Restart the CA Service
  5. Renew the CA Certificate (Right Click on the CA - All Tasks - Renew CA Certificate)





If the CA Period/Duration is fine and longer than the user certificate need then we need to check the default Validity Period in the CA Registry bu doing the following:


  1. Open Admin CMD on the CA server and type certutil -getreg ca                                                                                                                                                                                    
  2. Check the ValidityPeriodUnits which refers to the maximum period that this CA can issue. You can define this value according to your own requirements, but it won’t exceed the lifetime of CA.
  3. From the Same CMD run certutil -setreg ca\ValidityPeriodUnits 5 (This will increase the validity to 5 years)
  4. Stop and restart CA service.



Now try again to Enroll certificate again from client to check the validity period.


, , , , , , , , [Edit tags]
Leave a Comment
  • Please add 3 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 19 Aug 2013 4:13 PM

    Naomi  N edited Original. Comment: Minor edit

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 19 Aug 2013 4:13 PM

    Naomi  N edited Original. Comment: Minor edit

Page 1 of 1 (1 items)