I have an offline root CA(Server is Win2003 Std in A Workgroup)
The root cert expires in 2025
I have 2 Sub CAs in Active Directory (Servers are Win2003, member servers
in AD)
The sub ca certs expire in 2006
Any certs they issue to computers in AD expire in 2006
How do I increase the validity period for these 2 Sub CAs so the certs they
issue expire in 2008?
thanks
You have to start at the root CA computer and extend the validity period
of the certificates it issues. The default, as you can see is one year.
For example, to set that the root CA will issue certficates with a
validity period of 10 years, you would run the following commands at the
root CA, and then restart certificate services.
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"
Then, you have to renew the subCA certificiates. They will now get 10
year certs (expiring in 2015).
Then you have to set the validity periods for certificates issued by the
SubCAs. If you want the max lifetime to be 5 years, you would run
certutil -setreg CA\ValidityPeriodUnits 5
certutil -setreg CA\ValidityPeriod "Years"
You must also define the certificate template that you are using to have
a validity period of 3 years. This is only possible with version 2
certificate templates and requires that the subcas are running windows
server 2003, enterprise edition.
Finally, as you have seen, the subca cannot issue certificates with
validity periods extending beyonds its validity period.
For more details see the best practices white paper available at
www.microsoft.com/pki
Brian
