Click here to get back home

Extend certificate validity time on Windows Standard CA

 HomeNewsGroups | Search
Login Password
Register Now! Lost Password?
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Extend certificate validity time on Windows Standard CA tashi 11-14-2008
Posted by tashi on November 14, 2008, 4:08 am
Please log in for more thread options
Hi all

Since Windows 2003 Standard CA does not support the creation of
Certificate Templates. I would like to ask if its possible to change the
validity time from the issued certificates?

I found a description through the registry, but this does not work for
me: http://support.microsoft.com/?scid=kb%3Ben-us%3B254632&x=7&y=16

Regards
Tashi

Posted by Paul Adare on November 14, 2008, 4:27 am
Please log in for more thread options
On Fri, 14 Nov 2008 10:08:30 +0100, tashi wrote:

> Hi all
>
> Since Windows 2003 Standard CA does not support the creation of
> Certificate Templates. I would like to ask if its possible to change the
> validity time from the issued certificates?
>
> I found a description through the registry, but this does not work for
> me: http://support.microsoft.com/?scid=kb%3Ben-us%3B254632&x=7&y=16
>

The validity of a certificate will be the lowest of the following values:

1. The lifetime remaining for the issuing CA's certificate.
2. The value in the certificate template (not applicable in your case).
3. The registry entries described in the KB article you posted.

Either the lifetime remaining in the issuing CA's certificate is less than
the desired lifetime for certificates you want to issue or you've made a
mistake with the registry entries.

On your CA, run the following two commands and then post the output:

certutil -getreg ca\validityperiod
certutil -getreg ca\validityperiodunits
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca

Posted by tashi on November 14, 2008, 5:53 am
Please log in for more thread options
Paul Adare schrieb:

> The validity of a certificate will be the lowest of the following values:
>
> 1. The lifetime remaining for the issuing CA's certificate.
> 2. The value in the certificate template (not applicable in your case).
> 3. The registry entries described in the KB article you posted.
>
> Either the lifetime remaining in the issuing CA's certificate is less than
> the desired lifetime for certificates you want to issue or you've made a
> mistake with the registry entries.
>
> On your CA, run the following two commands and then post the output:
>
> certutil -getreg ca\validityperiod
> certutil -getreg ca\validityperiodunits

Hi Paul

Here is the Output from the certutil:

----------
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CIRRUSCA\ValidityPeriod:

ValidityPeriod REG_SZ = Years
CertUtil: -getreg command completed successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CIRRUSCA\ValidityPeriodUnits:

ValidityPeriodUnits REG_DWORD = 4
CertUtil: -getreg command completed successfully.
----------

The CA Certificate is valid for 10 Years. I upload a screenshot from the
CA Certificate.

http://img357.imageshack.us/my.php?image=screenhunter29rp3.jpg

When I submit a certificate request I get certificates with only 2 years
validity.

http://img375.imageshack.us/my.php?image=screenhunter30sn0.jpg

Posted by Paul Adare on November 14, 2008, 6:06 am
Please log in for more thread options
On Fri, 14 Nov 2008 11:53:40 +0100, tashi wrote:

> Hi Paul
>
> Here is the Output from the certutil:

How is the certificate request being generated? On the details tab of an
issued certificate, what if anything is listed in the Certificate Template
Information field?

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca

Posted by tashi on November 14, 2008, 7:45 am
Please log in for more thread options
Paul Adare schrieb:
> On Fri, 14 Nov 2008 11:53:40 +0100, tashi wrote:
>
>> Hi Paul
>>
>> Here is the Output from the certutil:
>
> How is the certificate request being generated? On the details tab of an
> issued certificate, what if anything is listed in the Certificate Template
> Information field?
>

The certificate request is generated from a SAP System. The SAP Admin
gave me the request to sign it.
In Details, Certificate Template Name there is the Entry WebServer. This
is the standard Web Server Template. I use the CA Web Service to sumbit
the request.

Similar ThreadsPosted
ca - certificate validity question November 8, 2008, 5:32 am
certificate validity in Certificates MMC snap-in October 4, 2005, 4:27 pm
utility to check certificate validity October 5, 2005, 8:51 am
Windows 2003 Standard Edition & Microsoft.XMLHTTP Question September 30, 2006, 10:25 pm
SCEP - Network Device Enrollment Service on Windows 2008 Standard March 31, 2008, 10:32 am
Could not start the Windows Time Error 1300 June 22, 2005, 10:03 am
Extend Root CA cert lifetime January 31, 2008, 12:31 pm
2k3 standard x64 May 7, 2006, 2:53 pm
How to allow standard user to install an application August 18, 2005, 6:51 am
Issuing of server/client authentication certs from an Ent. CA running on W2k3 Standard Edition May 14, 2007, 2:43 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Driving a better car - Fuelzilla.com

Cabling site for homeowners and pros alike - Cabling-Design.com

Friends:

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap