Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

web server certificate valid for longer than 2 years

1,003 views
Skip to first unread message

Liran

unread,
Jan 3, 2009, 5:07:01 AM1/3/09
to
Hi,
I've got a testing infrastructure & I need to create a web certificate that
is valid for more than the default 2 years ...
I've got a windows 2003 enterprise edition server, and I created a new
certificate template based upon the web server template and configured it to
be valid for 5 years - however when I request a new certiciate via the web
console the certificate is generated with a validity period of only 2 years
... what am I doing wrong ? :)
thanks
Liran

Brian Komar (MVP)

unread,
Jan 3, 2009, 9:39:15 AM1/3/09
to
At the CA, you need to configure two registry settings: ValidityPeriod and
ValidityPeriodUnits from their default value of 2 Years.
These settings act like a governor setting a maximum validity period for
certificates issued by the CA.

To set it to five years, run the following:
certutil -setreg ca\ValidityPeriod = "Years"
certutil -setreg ca\ValidityPeriodUnits = 5
net stop certsvc && net start certsvc

Brian

"Liran" <Li...@discussions.microsoft.com> wrote in message
news:F70493DE-DCB5-4781...@microsoft.com...

Liran

unread,
Jan 3, 2009, 10:10:16 AM1/3/09
to
Hi Brian.
I tried your suggestion and the command line actually has to contain both
parameters at once:
certutil -setreg ca\ValidityPeriod="Years" ca\ValidityPeriodUnits=5

the only problem I have is that it didn't work :(
the certificates still have a 2 year validity period, although they are
created from a template which has a 5 year validity period, and the CA itself
is valid for 20 years ...
I've tried rebooting & re-creating the template, but it didn't work.

any suggestions ?

Liran

Paul Adare

unread,
Jan 3, 2009, 10:21:30 AM1/3/09
to
On Sat, 3 Jan 2009 07:10:16 -0800, Liran wrote:

> I tried your suggestion and the command line actually has to contain both
> parameters at once:
> certutil -setreg ca\ValidityPeriod="Years" ca\ValidityPeriodUnits=5

Actually, no it does not. It is perfectly acceptable to run them as Brian
posted. If you copied and pasted the commands from Brian's post and got an
error that's likely because your news reader converted the double quotes to
curly quotes which won't work.

>
> the only problem I have is that it didn't work :(
> the certificates still have a 2 year validity period, although they are
> created from a template which has a 5 year validity period, and the CA itself
> is valid for 20 years ...
> I've tried rebooting & re-creating the template, but it didn't work.

What's the lifetime remaining on the CA certificate itself?


--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca

Brian Komar (MVP)

unread,
Jan 3, 2009, 2:06:06 PM1/3/09
to
Did you also restart certificate services after you set the registry entries
This is required for the settings to stick
Brian

"Liran" <Li...@discussions.microsoft.com> wrote in message

news:03A5D079-8CBB-4066...@microsoft.com...

Vishal Agarwal

unread,
Jan 4, 2009, 11:22:54 PM1/4/09
to
You can change the setting on the CA by running following command lines:

certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg ca\ValidityPeriodUnits "5"

and then restart the CA.

After this the CA should issue certificate (validity period would be minimum
of (certificate template settings, above registry settings, CA's own
certificate validity period)).

"Liran" <Li...@discussions.microsoft.com> wrote in message
news:F70493DE-DCB5-4781...@microsoft.com...

0 new messages