none
Certificate Expiration is set for only 1 year for issued certificates in a Windows 2008 Active Directory environment. RRS feed

  • Question

  • Certificate Expiration is set for only 1 year for issued certificates in a Windows 2008 Active Directory environment.

    when I open certificates I have created, the don't expire for 60 years as designed. when I created my duplicate templates in Windows 2008 Certificate Services, my duplicate templates are set for 60 years for computers as designed.
    When I deploy my certificate with my templates the workstations and servers show they are only valid for one year?
    What gives?
    I also noticed when I ran certutil -dspublish on my root certificate, and set it as my trusted RootCA in Group Policy Trusted root authorities, - that my domain controllers only have 1 year before the cert must be renewed. I want this to be 60 years as well.
    How do I fix this?
    Tuesday, September 20, 2011 8:10 PM

Answers

  • 1. 60 years is way way too long (even with really long keys)

    2. What is the validity period of your CA's certificate. A CA cannot issue certificates beyond its remaining validity period. So even if you build it with a 60 yer validity period, after one year, it can only issue certificates valid for 59 years. After two years, it can only issue 58 year valid certificates (hypothetically of course).

    3. You need to run two commands, to change what I call the governor on the CA .

    certutil -setreg CA\ValidityPeriod "Years"

    certutil -setreg CA\ValditiyPeriodUnits 60

    then restart certificate services.

    May I recommend something more typical, such as a five year max (for high assurance certificates) and two years for the certificates you have described (for computers and DCs)

    Brian

    Wednesday, September 21, 2011 12:26 AM
  • No, you run the command on each CA. It affects the registry of the CA that you run the command on.

    So, if you want the 2nd tier to have a 15 year validity period you would run

    certutil -setreg CA\ValidityPeriod "Years"

    certutil -setreg CA\ValditiyPeriodUnits 15

    prior submitting the renewal request for the  subordinate CA certificate .

    Brian

    • Proposed as answer by Brian Komar [MVP] Friday, September 23, 2011 4:07 AM
    • Marked as answer by Bruce-Liu Tuesday, September 27, 2011 5:39 AM
    Friday, September 23, 2011 4:07 AM

All replies

  • 1. 60 years is way way too long (even with really long keys)

    2. What is the validity period of your CA's certificate. A CA cannot issue certificates beyond its remaining validity period. So even if you build it with a 60 yer validity period, after one year, it can only issue certificates valid for 59 years. After two years, it can only issue 58 year valid certificates (hypothetically of course).

    3. You need to run two commands, to change what I call the governor on the CA .

    certutil -setreg CA\ValidityPeriod "Years"

    certutil -setreg CA\ValditiyPeriodUnits 60

    then restart certificate services.

    May I recommend something more typical, such as a five year max (for high assurance certificates) and two years for the certificates you have described (for computers and DCs)

    Brian

    Wednesday, September 21, 2011 12:26 AM
  • Validity period for my CA is 65 years. If I open my certificate it shows an expiration date 60 years out.

    When I published my Root Certificate to AD certutil -dspublish and added it to my Trusted Root Authority Certificates in Group Policy, probably didn't need to do both as I understand it, I opened Certificate Authority in MMC and looked under Issued Certificates, My domain controllers showed up but with an expiration date of just one year. I expected 60 years not  one year.

    I created duplicate templates from my computer template, set the validity period to 20 years, and renewal period to 10 years. I then created a Global group and assigned several computers to the template and published the template to AD. On my workstation as a test I opened MMC and Cetificates then requested a certificate from the template I assigned to it. I then checked Issued Certificates on my CA / Issued Certificates and these workstations showed a one year expiration date not 20 years.

    If the certificates would renew automatically at the end of a year then I guess it would not matter, but I did not expect to see just one year before they expire.

    Do I need to publish anything for the CRL?

    I am trying to make sure I get these issues settled before I create a self signed SSL certificate for my Windows 2003 server running Tomcat 6 that my workstations will access. I have the Tomcat 6 document relating to generating a request from command line and having my CA sign it then reimport it back.  Since this will be a major production server, I don't want things expiring in a year with end users calling me they cannot connect to the server. I want something in place that does not expire for 5 years.

     

     

    Wednesday, September 21, 2011 3:57 AM
  • On Wed, 21 Sep 2011 03:57:16 +0000, Lanman777 wrote:

    If the certificates would renew automatically?at the end of a year then I guess it would not matter, but I did not expect to see just one year before they expire.

    Do I need to publish anything for the CRL?

    Brian has already provided you with the answer.

    The maximum validity of an issued certificate is the lesser of:

    1. The remaining validity period of the parent CA's certificate.
    2. The validity period in the certificate template (if using an Enterprise
    CA).
    3. The validity period in the registry on the CA.

    And Brian is correct, 60 years is far too long a validity period.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Hackers have kernel knowledge.

    Wednesday, September 21, 2011 8:49 AM
  • Ok, thanks I really appreciate it! I will run the following command on my Issuing CA server on my domain.

    certutil -setreg CA\ValidityPeriod "Years"

    certutil -setreg CA\ValditiyPeriodUnits 10

    then restart certificate services.

    Since I went with the 2 tiered approach, creating the ROOTCA with a stand-alone server, then set up an Enterprise CA on my domain as my issuing CA. What I don't understand is after running the above command, how if anything comes into play with my stand-alone CA that I created my RootCA on? I just leave it off and run the above command on my domain?

     

    Friday, September 23, 2011 2:06 AM
  • No, you run the command on each CA. It affects the registry of the CA that you run the command on.

    So, if you want the 2nd tier to have a 15 year validity period you would run

    certutil -setreg CA\ValidityPeriod "Years"

    certutil -setreg CA\ValditiyPeriodUnits 15

    prior submitting the renewal request for the  subordinate CA certificate .

    Brian

    • Proposed as answer by Brian Komar [MVP] Friday, September 23, 2011 4:07 AM
    • Marked as answer by Bruce-Liu Tuesday, September 27, 2011 5:39 AM
    Friday, September 23, 2011 4:07 AM
  • In a word validity Brian has an error (rewrote it)

    certutil -setreg CA\ValidityPeriod "Years"

    certutil -setreg CA\ValidityPeriodUnits 15


    Thursday, October 29, 2015 3:04 PM
  • Not sure what you are trying to accomplish discussing typos (that are easily recognized) in a post that is over four years old <G>

    Brian

    Thursday, October 29, 2015 11:25 PM