Friday, August 27, 2010

How to Create Certificates with a Longer Validity Period

So, you have your own Windows Certificate of Authority (CA) server and you want to create some new certificates that are valid longer than the default certificate templates.  You duplicate the User Certificate, and set the validity period to 5 years.  You issue a new user certificate using the new template and discover that the certificate expires two years from today.  What's up with that?

The validity period of any certificate generated by a Windows CA is the lesser of these three values:
  • The remaining lifetime of the root CA server 
  • The value specified in the certificate template
  • The value specified in the CA server registry (default is 2 years)
So even if you set the certificate template validity period to 10 years, certificates issued using this template will be valid for a maximum of two years with the CA's default settings.

Increasing the CA Lifetime
Most root CAs are typically valid for 5 years. To increase the lifetime of the root CA, create or edit a text file in %SYSTEMROOT% called CAPolicy.inf with the following text:
[Version]
Signature=”$Windows NT$”


[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
Adjust the values above as needed, save the file, and restart the CertSrv service. Then renew the CA Certificate using the same public and private key pair.

Warning: If you generate a new public and private key pair you will need to reissue all your old certificates, so don't do it unless that is your intent.

Setting the Maximum Validity Period in the Registry
The default certificate validity period configured in the CA's registry is 2 years. To view the current registry value, run the following commands from a CMD prompt on the CA:
certutil -getreg ca\ValidityPeriod
certutil -getreg ca\ValidityPeriodUnits
To configure the registry value to 5 years, run the following command from a CMD prompt on the CA:
certutil -setreg ca\ValidityPeriodUnits 5
Adjust the value above, as needed. Then restart the CertSvc service to affect the changes. 12:43 PM