none
Error Constructing or Publishing Certificate

    Pregunta

  • Hi,

    I wanted to issue user certificate from CA and got error:

    Error Constructing or Publishing Certificate The certificate validity period will be shorter than the User Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period

    We use online ent CA, how to solve this issue? Will it help if I change "ValidityPeriodUnits" in registry?

    thanks
    aurimas


    lunes, 09 de mayo de 2011 12:06

Respuestas

Todas las respuestas

  • please show us the output of the following commands:

    certutil -getreg ca\validityperiodunits
    certutil -getreg ca\validityperiod

    And what is validity period of the certificate template?


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    lunes, 09 de mayo de 2011 12:14
  • ValidityPeriodUnits REG_DWORD = 2
    CertUtil: -getreg command completed successfully.

    ValidityPeriod REG_SZ = Years
    CertUtil: -getreg command completed successfully.

    Validity period of the certificate template is 1 year.  But on "Enterprise KPI" I see CA Certificate expiration date 2012.02.01, so it is less then in 1 year, maybe that's why I got this error.

    Is any way to change expiration date?

    thanks
    aurimas

    lunes, 09 de mayo de 2011 13:42
  • Yes, that is why you got the error.  Three things determine the validity period of an issued certificate:

    1. The validity period of the CA's certificate

    2. The ValidityPeriodUnits and ValidityPeriod reg keys

    3. The template itself

    If the CA certificate is due to expire next month, then no certificates can be issued that are valid longer than one month.  So, in your case your CA's certificate expires in less than one year, so no certificate can be issued with a validity period greater than 2012.02.01.

    In order to resolve this, you need to renew the CA's certificate:

    Creating a Certificate Renewal Strategy
    http://technet.microsoft.com/en-us/library/cc772847(WS.10).aspx

    Renew a subordinate certification authority
    http://technet.microsoft.com/en-us/library/cc776691(WS.10).aspx
    Thanks!
    lunes, 09 de mayo de 2011 15:02