|
Posted by Brian Komar on February 1, 2008, 11:48 am
Please log in for more thread options There is a bug in Server 2003 regarding the capolicy.inf
1) Renew the first time with a new key pair
2) Renew a second time with the second key pair
The second time will be the charm, and recognize the 15 year setting
Make sure you perform the renewal in the Certification Authority console.
Brian
> Thanks for the pointers Brian
>
> I've located the capolicy.inf file on the root ca, and modified the
> renewalvalidityperiodunits value from 5 to 15. I renewed the root CA
> certificate, but the lifetime is still the same! If I look at the root CA
> template, this is set to 5 years (and not modifiable). I also noted this
> is true of the Subordinate Certification Authority template (5 years, not
> modifiable). For some reason, I couldn't find a capolicy.inf file on the
> sub CA (even though an MS document I found suggested subordinate (or
> intermediate) CA's should also have one (albeit in a slightly different
> format)
>
> This might be a different problem, but I tried renewing the root CA cert
> in the Personal store of the root CA (local computer) host as a means of
> extending the root CA lifetime after I made the change to capolicy.inf,
> but got the following error;
>
> 'You do not have permission to request a certificate based on the selected
> certificate template'
>
> All other cert issuing policies seem to work fine.
>
> There's a lot of information in the link you provided, which I am looking
> through, but in my particular situation, I'm just looking to resolve this
> issue at the moment.
>
> Thanks
>
> I think I'm heading in the right direction
>> You can extend it by defining the renewal validity period in the
>> capolicy.inf
>> There is a best practices whitepaper available at www.microsoft.com/pki
>> This is also covered in my PKI book (referenced on the same page)
>> Brian
>>
>>> We have a local root CA that has a lifetime on its issuing certificate
>>> that runs up until mid 2010. The cert lifetime is currently 5 years. Our
>>> subordinate issuing CA issues most of the certs onsite, but that can
>>> only issue certs up to the lifetime of the root CA. Although this works
>>> in most instances ok, I now realise as we're only issuing internally, a
>>> much longer lifetime on the root CA (and subsequently the sub CA) would
>>> have been better. I'd like to extend the lifetime of the main root CA to
>>> 15 years, and the sub CA to 10 years without causing any interruption to
>>> the cert issuing process.
>>>
>>> Although I know how to renew the issuing CA certificates, I can't see a
>>> way to extend the lifetime, so when I next renew the root CA cert, it
>>> will be valid for 15 years and not 5. I'd like to do this by renewing
>>> (and not re-requesting) root certs as well (and keep the same key-pair).
>>>
>>> Both CA's run Win2k3 Enterprise.
>>>
>>> Is this possible, and if so, could someone explain (or point me in the
>>> direction of a document which does) how to do this.
>>>
>>> TIA
>>
>
| 
XML Sitemap