Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to re-issue root CA certificate

17 views
Skip to first unread message

boon

unread,
Feb 5, 2007, 8:50:50 PM2/5/07
to
Hi,

During installation for our Windows 2003 Server's certificate authority, we
have generated the root certicate's valid period till 2086. Is there any way
we can reduce the period or re-issue the root certicate to a shorter period?

Thanks in advance.


Brian Komar

unread,
Feb 6, 2007, 12:33:41 AM2/6/07
to
In article <uhdisFZS...@TK2MSFTNGP03.phx.gbl>,
bo...@noemail.noemail says...
You can renew the certificate, designating the new
validty period and key length (if required) in the
capolicy.inf file.
See the Best Practices whitepaper for details at
www.microsoft.com/pki

Brian

boon

unread,
Feb 6, 2007, 1:09:05 AM2/6/07
to
Hi,

I want to shorten the period. Everytime I renewed, it increased the period.

Regards

"Brian Komar" <bko...@nospam.identit.ca> wrote in message
news:MPG.2031b3134...@msnews.microsoft.com...

Brian Komar

unread,
Feb 6, 2007, 10:09:14 AM2/6/07
to
In article <#bp6$VbSHH...@TK2MSFTNGP04.phx.gbl>,
bo...@noemail.noemail says...
Did you read the whitepaper?
The details for a root CA are in the best practices
Brian

Wayne Anderson

unread,
Feb 7, 2007, 1:19:00 AM2/7/07
to
There are a few resources you may want to look at for your situation:

Some scripts to automate configurations on your PKI server setup, including
validity length.
http://technet2.microsoft.com/WindowsServer/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true

Also, from the documentation at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx:

1.If required, specify a new key size in CAPolicy.inf.

2. Renew the CA certificate. (See the procedure in the product documentation.)

3. Publish the new CA certificate to:

• The Active Directory Trusted Certification Authorities store

• The Web server AIA publishing point

• The Trusted Root Certification Authorities local store on each of the
Intermediate CAs

See Publishing the Offline Root CA.

4. Issue a new CRL from the root CA and publish it to the Web server CDP
publishing point.

5. If you have not updated your intermediate CAs to Windows Server 2003
Service Pack 1, you need to publish the root CA CRLs to the local certificate
store of the intermediate CA(s). See Publishing CRLs of the Root CA to the
Offline Intermediate CAs.

Using the two, essentially configure the length, and then go through the
renewal process.

--
Wayne Anderson

http://blog.avanadeadvisor.com/blogs/waynea/

Wayne Anderson

unread,
Feb 7, 2007, 1:23:00 AM2/7/07
to
My apologies, the sample scripts link is on the link I provided in the
previous post, scroll down near the bottom of the content window to the link
entitled "Sample Script to configure CorporateRootCA"

--
Wayne Anderson
http://blog.avanadeadvisor.com/blogs/waynea/
0 new messages