Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Extend certificate validity time on Windows Standard CA

1,754 views
Skip to first unread message

tashi

unread,
Nov 14, 2008, 4:08:30 AM11/14/08
to
Hi all

Since Windows 2003 Standard CA does not support the creation of
Certificate Templates. I would like to ask if its possible to change the
validity time from the issued certificates?

I found a description through the registry, but this does not work for
me: http://support.microsoft.com/?scid=kb%3Ben-us%3B254632&x=7&y=16

Regards
Tashi

Paul Adare

unread,
Nov 14, 2008, 4:27:30 AM11/14/08
to

The validity of a certificate will be the lowest of the following values:

1. The lifetime remaining for the issuing CA's certificate.
2. The value in the certificate template (not applicable in your case).
3. The registry entries described in the KB article you posted.

Either the lifetime remaining in the issuing CA's certificate is less than
the desired lifetime for certificates you want to issue or you've made a
mistake with the registry entries.

On your CA, run the following two commands and then post the output:

certutil -getreg ca\validityperiod
certutil -getreg ca\validityperiodunits
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca

tashi

unread,
Nov 14, 2008, 5:53:40 AM11/14/08
to
Paul Adare schrieb:

> The validity of a certificate will be the lowest of the following values:
>
> 1. The lifetime remaining for the issuing CA's certificate.
> 2. The value in the certificate template (not applicable in your case).
> 3. The registry entries described in the KB article you posted.
>
> Either the lifetime remaining in the issuing CA's certificate is less than
> the desired lifetime for certificates you want to issue or you've made a
> mistake with the registry entries.
>
> On your CA, run the following two commands and then post the output:
>
> certutil -getreg ca\validityperiod
> certutil -getreg ca\validityperiodunits

Hi Paul

Here is the Output from the certutil:

----------
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CIRRUSCA\ValidityPeriod:

ValidityPeriod REG_SZ = Years
CertUtil: -getreg command completed successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CIRRUSCA\ValidityPeriodUnits:

ValidityPeriodUnits REG_DWORD = 4
CertUtil: -getreg command completed successfully.
----------

The CA Certificate is valid for 10 Years. I upload a screenshot from the
CA Certificate.

http://img357.imageshack.us/my.php?image=screenhunter29rp3.jpg

When I submit a certificate request I get certificates with only 2 years
validity.

http://img375.imageshack.us/my.php?image=screenhunter30sn0.jpg

Paul Adare

unread,
Nov 14, 2008, 6:06:20 AM11/14/08
to
On Fri, 14 Nov 2008 11:53:40 +0100, tashi wrote:

> Hi Paul
>
> Here is the Output from the certutil:

How is the certificate request being generated? On the details tab of an
issued certificate, what if anything is listed in the Certificate Template
Information field?

tashi

unread,
Nov 14, 2008, 7:45:58 AM11/14/08
to
Paul Adare schrieb:

> On Fri, 14 Nov 2008 11:53:40 +0100, tashi wrote:
>
>> Hi Paul
>>
>> Here is the Output from the certutil:
>
> How is the certificate request being generated? On the details tab of an
> issued certificate, what if anything is listed in the Certificate Template
> Information field?
>

The certificate request is generated from a SAP System. The SAP Admin
gave me the request to sign it.
In Details, Certificate Template Name there is the Entry WebServer. This
is the standard Web Server Template. I use the CA Web Service to sumbit
the request.

Paul Adare

unread,
Nov 14, 2008, 8:39:23 AM11/14/08
to
On Fri, 14 Nov 2008 13:45:58 +0100, tashi wrote:

> The certificate request is generated from a SAP System. The SAP Admin
> gave me the request to sign it.
> In Details, Certificate Template Name there is the Entry WebServer. This
> is the standard Web Server Template. I use the CA Web Service to sumbit
> the request.

Try using certreq.exe to submit the request rather than the web page.

Brian Komar

unread,
Nov 14, 2008, 2:38:55 PM11/14/08
to
Also, make sure that you have restarted certificate services after the
changing of the registry keys.
Finally, you can check out the requested validity period by SAP by running
the following command:
certutil -dump request.csr > dump.txt
then view the contents of dump.txt
Brian

"Paul Adare" <pka...@gmail.com> wrote in message
news:17m9xc4avecfp.14vo15szsx1am$.dlg@40tude.net...

tashi

unread,
Nov 17, 2008, 7:42:12 AM11/17/08
to
Brian Komar schrieb:

I tried certreq -submit -attrib "CertificateTemplate:Webserver"
<filename> but I get still two years validity. I also tried requesting a
certificate over a IIS. Same here.
I do certutil -dump command. But I can`t see any validity time. But SAP
Admin tells me the request is configures for 20 years validity.

I restart the CA Server and even the Server. But It does not work. And I
also do the following certutil commands:

certutil -getreg ca\validityperiod
certutil -getreg ca\validityperiodunits

And they tell me my correct configured validity time. As done in the
registry.

Paul Adare

unread,
Nov 17, 2008, 8:42:22 AM11/17/08
to
On Mon, 17 Nov 2008 13:42:12 +0100, tashi wrote:

> I tried certreq -submit -attrib "CertificateTemplate:Webserver"
> <filename> but I get still two years validity. I also tried requesting a
> certificate over a IIS.

The point with certreq was not use a template. If you use the Webserver
template you're going to get a 2 year cert no matter what you do as that is
the lifetime for a Webserver template.

tashi

unread,
Nov 17, 2008, 10:12:46 AM11/17/08
to
Paul Adare schrieb:

> On Mon, 17 Nov 2008 13:42:12 +0100, tashi wrote:
>
>> I tried certreq -submit -attrib "CertificateTemplate:Webserver"
>> <filename> but I get still two years validity. I also tried requesting a
>> certificate over a IIS.
>
> The point with certreq was not use a template. If you use the Webserver
> template you're going to get a 2 year cert no matter what you do as that is
> the lifetime for a Webserver template.
>

If I dont use a Template, I get the following Error:

"The request contains no certificate template information"

Our CA is a Enterprise CA not Stand-alone. I read in the Technet,
Enterprise CA needs Templates to sign a request.

Paul Adare

unread,
Nov 17, 2008, 10:16:45 AM11/17/08
to
On Mon, 17 Nov 2008 16:12:46 +0100, tashi wrote:

> Our CA is a Enterprise CA not Stand-alone. I read in the Technet,
> Enterprise CA needs Templates to sign a request.

Ok, then you're either going to have to live with the 2 year certs or
upgrade your CA to Enterprise Edition and then you can use V2 templates and
increase the validity period.

tashi

unread,
Nov 17, 2008, 10:55:36 AM11/17/08
to
Paul Adare schrieb:

> On Mon, 17 Nov 2008 16:12:46 +0100, tashi wrote:
>
>> Our CA is a Enterprise CA not Stand-alone. I read in the Technet,
>> Enterprise CA needs Templates to sign a request.
>
> Ok, then you're either going to have to live with the 2 year certs or
> upgrade your CA to Enterprise Edition and then you can use V2 templates and
> increase the validity period.
>
I see. Thank you Paul for your replies.
Now I`m shure about what`s works and what`s don`t work.
0 new messages