none
Change of validity of the root certificate in MS CA

    Question

  • Good day.

    Microsoft Certificate Authority, Windows Server 2008 R2. The server worked on the SHA-1 hashing algorithm (the old root certificate is valid until 2022). The algorithm was updated to SHA-256. When updating the root certificate, a new root certificate was issued with a validity period up to 2117. This happened despite the fact that the period of 5 years is specified in the CA template and in the CAPolicy.inf file. Any attempt to renew the certificate leads to the fact that the validity of the new root certificate can only be increased, but not reduced. Are there any simple ways to solve the problem?

    If not, please evaluate the following plan:

    1. Just in case we do a snapshot of MS CA.

    2. Set the validity period of the CRL, which will be released on the old root certificate, until 2022 (the number indicated approximately) and release the CRL.

    certutil -setreg CA \ CRLPeriodUnits 1000
    certutil -setreg CA \ CRLPeriod "Days"
    net stop certsvc
    net start certsvc
    certutil –CRL

    3. With the help of the backup wizard we back up the certificate database.

    4. Remove the role of the Certification Center.

    5. Return the old value of CRLPeriodUnits.

    6. Install the role of the Certification Center with the installation of the correct validity period of the root certificate.

    7. Restoring the certificate database.
    Wednesday, May 22, 2019 4:46 AM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    The validity period for the root certificate is set at the time we install the Root CA. To change the validity period for a root certificate, we'll need to reinstall the root CA and then configure it.

    If we reinstall the CA with a lower validity period, we would need to re-generate our internal certificates again. We'd set the validity period at the install. 20 years for the Root CA is sufficient with 10 years (one-half) configured for certs issued to subordinate CAs.

    This way, we'll reissue all new certificates and then remove the old CA properly. We can take time to design our PKI based on our organizational needs. We don't necessarily do it right away. After a well thought out plan, we can start.

    I think our plan should not work.



    Reference:
    How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 23, 2019 7:42 AM
    Moderator
  • Good day.
    Thank you so much for your reply!
    I would like to clarify the following.
    We do not aim to completely remove the certification authority. We just need to reinstall it with all the same parameters (domain name, CN, etc.) with a new (shorter) expiration date of the new root certificate. At the same time, user certificates issued on the old root certificate should work until their expiration date - 2 years.
    Is my plan correct in this context?
    For your link (https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all -related-objects.aspx).
    Do I need to implement steps 1, 6, 7, 8, 9 when implementing my plan?

    Thursday, May 23, 2019 12:44 PM
  • Hi,
    From the article How to change CA certificate validity period, we can see:

    Root CA certificate validity can be set only during AD CS role installation. It is not possible to change root CA certificate validity without certificate renewal. If your root CA certificate is valid for 5 years (default) and you want to increase this value you must create (or edit existing) CAPolicy.inf file and place it to system root folder (by default C:\Windows).

    Not sure whether we can reduce this value during the certificate renewal. I suggest we can do a test in our test environment.



    Other reference:
    CA Validity Period Extension and CA Certificate Renewal Process
    https://www.experts-exchange.com/articles/32336/CA-Validity-Period-Extension-and-CA-Certificate-Renewal-Process.html


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 24, 2019 10:27 AM
    Moderator
  • Do to a limitation in the processing of CApolicy.inf files and a require in code, the RenewalValidityPeriod CAN'T be shorter than the original time of the CA certificate. You can use this value to renew the CA with a longer validity period, but it can't be used for a shorter one. 

    If you wish to have a Root CA with a shorter validity period, you will need to build a completely new root.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Friday, May 24, 2019 10:24 PM
  • I understand that I need to completely reinstall the CA. Now the question is, do I need to remove Remove CA objects from Active Directory and so on after it? The certificate authority will be reinstalled on the same server, with the same name, nothing essentially changes. In addition to the period of validity of the new root certificate. The old root certificate will be needed before the end of the user certificates issued on it.
    Saturday, May 25, 2019 9:21 AM
  • If you have existing certificates that you want to continue to function you will need to leave the CA certificates published in AD. If you are going to rebuild and keep the old certificates, I would STRONGLY recommend you use new CA and host names to keep it properly organized in AD. If you rebuild your CAs on the same hosts, it will cause some verification issues.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Sunday, May 26, 2019 3:33 PM
  • Hi,
    Yes, I agree with Mark.B. If we must reduce the validity of the root certificate, we can plan it well.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, May 27, 2019 3:50 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 29, 2019 4:30 AM
    Moderator