Reduce Root CA Certificate Lifespan
-
Wednesday, October 03, 2012 3:25 PM
Try as I might I cannot solve this
Root CA windows Serer 2008 R2 Standard (this is my test set up)
Expires 2032
I want to shorten its life to being only 5 years e.g expires 2017
Reason – year 2038 bug in production environment, production environment Root CA runs until 2107 and 3<sup>rd</sup> party box will not accept cert
Read various MS articles and post on here about using CAPolicy.inf
My CApolicy.inf looks like this (located in C:\windows)
[Version]
Signature="$Windows NT$"[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=10RenewalValidityPeriod=years
But every time I renew the root ca cert it just renews with 20 years ?
Where I am going wrong
Have reviewed
Plus various others relating to win 2008 R2, but no success ?
Any help greatly appreciated
All Replies
-
Thursday, October 04, 2012 5:29 AMModerator
Hi,
Do your capolicy.inf like this?
[Version]
Signature="$Windows NT$"[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=5RenewalValidityPeriod=years
For more details, please also refer to the below similar thread:
Change Enterprise CA Trusted Root Cert lifespan?
Regards,
Yan Li
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Yan Li
TechNet Community Support
-
Tuesday, October 09, 2012 1:58 PM
Hi Yan Li
Thanks for your reply, indeed my Capolicy.inf looks exactly like that. I have just spun up a new test environment, with a DC with cert service on, to get to the bottom of this.
however here is what I have found (which is not clearly detailed on any of the blogs/links I have looked out, including the one you mention)
If your certificate life is 5 years, you cannot shorten it using capolicy.inf
So – if my current root ca cert expires 2017 as it has a 5 year life, and I set capolicy inf to 2 years, it will stay at 2017 on the renewal
If I change capolicy.inf to 10 years, my renewal expiry becomes 2022
If I change capolicy.inf back to 5 years, the renewal expiry STAYS at 2022, not 2017
This is a total PITA. I need to shorten the Root CA certificate from 100 years down to about 20, in order to get a piece of kit playing ball.
I could deploy a subordinate CA, but that’s overkill – there has to be a better answer (obviously the other vendor could sort their kit, but they have already said that is not going to happen)
Why can I not shorten the certificate life???
Any help greatly appreciated
-
Wednesday, October 10, 2012 2:29 AMModerator
Hi,
Have you run:
certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg CA\ValidityPeriod "Years"
net stop certsvc && net start certsvc
Please go through the go through the thread in my last post, in addition, please also refer to the below link:How to change root certificate key's length and validity period
Regards,
Yan Li
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Yan Li
TechNet Community Support
-
Thursday, October 11, 2012 12:34 PM
Hi Yan
I think you may be incorrect on this occasion
I have read both of those posts and those commands only relate to the certificates that the CA issues, not to the Root CA certificate – maybe you can confirm after reviewing them again– failing this I will have to either open a PSS call or deploy a subordinate ?
So again there does not appear to be a way of reducing the Root CA lifetime length ?
From user ‘Alternate’ and one other on those threads
>certutil -setreg CA\ValidityPeriodUnits 10
>certutil -setreg CA\ValidityPeriod "Years"
>This not required as it only affects certs that the CA issues (that is SubCA certs) not the lifetime of renewals for the root CA cert
CA service must be restarted on the Root CA or you will have 1 year (by default) certificates.
mmm, am I up the creek wihtout a paddle..........
- Marked As Answer by andrew_mcse Wednesday, October 24, 2012 1:51 PM
-
Friday, October 12, 2012 10:04 AM
Hi,
Here is a blog for your reference.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Friday, October 12, 2012 10:20 AM
thanks for your reply, that only relates to increasing not reducing the certificate life
-
Tuesday, October 16, 2012 9:59 AM
Hi,
regarding your question, i will do a test on my lab and will update you soon.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Tuesday, October 16, 2012 10:10 AMthanks, I look forward to your insight, I am still scratchinhg my head on this one..
-
Wednesday, October 17, 2012 9:55 AM
Hi,
According to my test results, it seems we cannot reduce root CA life time and we can only extend its life time. This is because we have issued more certs before reducing its lifetime. So the issued certs may has a loneg life time that CA after reducing CA life time.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Proposed As Answer by Jason Mei Wednesday, October 24, 2012 9:18 AM
-
Wednesday, December 05, 2012 7:39 PM
Yeah, I have the same problem, and it looks like you cant shorten the validity, just extend. Guess it kinda makes sense though.
Daniel
-
Thursday, December 06, 2012 12:15 PM
yep, its a real pain, it does make sense, but you should at least get the option to control your own environment. The only option is to deploy a subordinate CA and use this as your root ca or infact its an intermediate. Saves you having to rip your whole environment, and with the benefit of virtulisaiton or maybe another server that can run the service for you its not to much of an overhead. In someways this is best practice becuase then you can turn off your Root CA to protect it and just have the intermediate issuing certs. Howvever my life would have been a lot easier with the ability to just reduce that cert lifespan, you live and learn :-)
.png)
