|
Posted by tman on January 31, 2008, 12:31 pm
Please log in for more thread options
We have a local root CA that has a lifetime on its issuing certificate that
runs up until mid 2010. The cert lifetime is currently 5 years. Our
subordinate issuing CA issues most of the certs onsite, but that can only
issue certs up to the lifetime of the root CA. Although this works in most
instances ok, I now realise as we're only issuing internally, a much longer
lifetime on the root CA (and subsequently the sub CA) would have been
better. I'd like to extend the lifetime of the main root CA to 15 years, and
the sub CA to 10 years without causing any interruption to the cert issuing
process.
Although I know how to renew the issuing CA certificates, I can't see a way
to extend the lifetime, so when I next renew the root CA cert, it will be
valid for 15 years and not 5. I'd like to do this by renewing (and not
re-requesting) root certs as well (and keep the same key-pair).
Both CA's run Win2k3 Enterprise.
Is this possible, and if so, could someone explain (or point me in the
direction of a document which does) how to do this.
TIA
|
|
Posted by Brian Komar on January 31, 2008, 12:33 pm
Please log in for more thread options
You can extend it by defining the renewal validity period in the
capolicy.inf
There is a best practices whitepaper available at www.microsoft.com/pki
This is also covered in my PKI book (referenced on the same page)
Brian
show/hide quoted text
> We have a local root CA that has a lifetime on its issuing certificate
> that runs up until mid 2010. The cert lifetime is currently 5 years. Our
> subordinate issuing CA issues most of the certs onsite, but that can only
> issue certs up to the lifetime of the root CA. Although this works in most
> instances ok, I now realise as we're only issuing internally, a much
> longer lifetime on the root CA (and subsequently the sub CA) would have
> been better. I'd like to extend the lifetime of the main root CA to 15
> years, and the sub CA to 10 years without causing any interruption to the
> cert issuing process.
> Although I know how to renew the issuing CA certificates, I can't see a
> way to extend the lifetime, so when I next renew the root CA cert, it will
> be valid for 15 years and not 5. I'd like to do this by renewing (and not
> re-requesting) root certs as well (and keep the same key-pair).
> Both CA's run Win2k3 Enterprise.
> Is this possible, and if so, could someone explain (or point me in the
> direction of a document which does) how to do this.
> TIA
|
|
Posted by tman on February 1, 2008, 11:38 am
Please log in for more thread options Thanks for the pointers Brian
I've located the capolicy.inf file on the root ca, and modified the
renewalvalidityperiodunits value from 5 to 15. I renewed the root CA
certificate, but the lifetime is still the same! If I look at the root CA
template, this is set to 5 years (and not modifiable). I also noted this is
true of the Subordinate Certification Authority template (5 years, not
modifiable). For some reason, I couldn't find a capolicy.inf file on the sub
CA (even though an MS document I found suggested subordinate (or
intermediate) CA's should also have one (albeit in a slightly different
format)
This might be a different problem, but I tried renewing the root CA cert in
the Personal store of the root CA (local computer) host as a means of
extending the root CA lifetime after I made the change to capolicy.inf, but
got the following error;
'You do not have permission to request a certificate based on the selected
certificate template'
All other cert issuing policies seem to work fine.
There's a lot of information in the link you provided, which I am looking
through, but in my particular situation, I'm just looking to resolve this
issue at the moment.
Thanks
I think I'm heading in the right direction
show/hide quoted text
> You can extend it by defining the renewal validity period in the
> capolicy.inf
> There is a best practices whitepaper available at www.microsoft.com/pki
> This is also covered in my PKI book (referenced on the same page)
> Brian
>> We have a local root CA that has a lifetime on its issuing certificate
>> that runs up until mid 2010. The cert lifetime is currently 5 years. Our
>> subordinate issuing CA issues most of the certs onsite, but that can only
>> issue certs up to the lifetime of the root CA. Although this works in
>> most instances ok, I now realise as we're only issuing internally, a much
>> longer lifetime on the root CA (and subsequently the sub CA) would have
>> been better. I'd like to extend the lifetime of the main root CA to 15
>> years, and the sub CA to 10 years without causing any interruption to the
>> cert issuing process.
>> Although I know how to renew the issuing CA certificates, I can't see a
>> way to extend the lifetime, so when I next renew the root CA cert, it
>> will be valid for 15 years and not 5. I'd like to do this by renewing
>> (and not re-requesting) root certs as well (and keep the same key-pair).
>> Both CA's run Win2k3 Enterprise.
>> Is this possible, and if so, could someone explain (or point me in the
>> direction of a document which does) how to do this.
>> TIA
>
|
|
Posted by Brian Komar on February 1, 2008, 11:48 am
Please log in for more thread options There is a bug in Server 2003 regarding the capolicy.inf
1) Renew the first time with a new key pair
2) Renew a second time with the second key pair
The second time will be the charm, and recognize the 15 year setting
Make sure you perform the renewal in the Certification Authority console.
Brian
show/hide quoted text
> Thanks for the pointers Brian
> I've located the capolicy.inf file on the root ca, and modified the
> renewalvalidityperiodunits value from 5 to 15. I renewed the root CA
> certificate, but the lifetime is still the same! If I look at the root CA
> template, this is set to 5 years (and not modifiable). I also noted this
> is true of the Subordinate Certification Authority template (5 years, not
> modifiable). For some reason, I couldn't find a capolicy.inf file on the
> sub CA (even though an MS document I found suggested subordinate (or
> intermediate) CA's should also have one (albeit in a slightly different
> format)
> This might be a different problem, but I tried renewing the root CA cert
> in the Personal store of the root CA (local computer) host as a means of
> extending the root CA lifetime after I made the change to capolicy.inf,
> but got the following error;
> 'You do not have permission to request a certificate based on the selected
> certificate template'
> All other cert issuing policies seem to work fine.
> There's a lot of information in the link you provided, which I am looking
> through, but in my particular situation, I'm just looking to resolve this
> issue at the moment.
> Thanks
> I think I'm heading in the right direction
>> You can extend it by defining the renewal validity period in the
>> capolicy.inf
>> There is a best practices whitepaper available at www.microsoft.com/pki
>> This is also covered in my PKI book (referenced on the same page)
>> Brian
>>> We have a local root CA that has a lifetime on its issuing certificate
>>> that runs up until mid 2010. The cert lifetime is currently 5 years. Our
>>> subordinate issuing CA issues most of the certs onsite, but that can
>>> only issue certs up to the lifetime of the root CA. Although this works
>>> in most instances ok, I now realise as we're only issuing internally, a
>>> much longer lifetime on the root CA (and subsequently the sub CA) would
>>> have been better. I'd like to extend the lifetime of the main root CA to
>>> 15 years, and the sub CA to 10 years without causing any interruption to
>>> the cert issuing process.
>>> Although I know how to renew the issuing CA certificates, I can't see a
>>> way to extend the lifetime, so when I next renew the root CA cert, it
>>> will be valid for 15 years and not 5. I'd like to do this by renewing
>>> (and not re-requesting) root certs as well (and keep the same key-pair).
>>> Both CA's run Win2k3 Enterprise.
>>> Is this possible, and if so, could someone explain (or point me in the
>>> direction of a document which does) how to do this.
>>> TIA
>
|
| Similar Threads | Posted | | renew root ca to extend validity period | January 25, 2010, 12:01 pm |
| Re: PKIView say root cert is expiring.... | November 9, 2008, 5:23 pm |
| 2K3 Cert Svcs gives invalid policy error on OpenSSL gen'd cert req | June 4, 2007, 1:56 pm |
| Requesting Code signing cert from cert services | November 4, 2005, 12:11 pm |
| Extend certificate validity time on Windows Standard CA | November 14, 2008, 4:08 am |
| Migrate Enterprise root authority CA to stand-alone root CA | December 13, 2005, 7:57 am |
| Stans-alone root CA or Enterprise root CA | August 31, 2006, 6:32 pm |
| Re: Existing Root CA -> New Root / Sub CA Hierarchy | August 3, 2009, 3:06 am |
| CA cert renew | July 18, 2007, 9:07 am |
| cert submitt error | July 18, 2005, 9:56 am |
|
XML Sitemap
> that runs up until mid 2010. The cert lifetime is currently 5 years. Our
> subordinate issuing CA issues most of the certs onsite, but that can only
> issue certs up to the lifetime of the root CA. Although this works in most
> instances ok, I now realise as we're only issuing internally, a much
> longer lifetime on the root CA (and subsequently the sub CA) would have
> been better. I'd like to extend the lifetime of the main root CA to 15
> years, and the sub CA to 10 years without causing any interruption to the
> cert issuing process.
> Although I know how to renew the issuing CA certificates, I can't see a
> way to extend the lifetime, so when I next renew the root CA cert, it will
> be valid for 15 years and not 5. I'd like to do this by renewing (and not
> re-requesting) root certs as well (and keep the same key-pair).
> Both CA's run Win2k3 Enterprise.
> Is this possible, and if so, could someone explain (or point me in the
> direction of a document which does) how to do this.
> TIA