none
Update Root Cert Validity Period RRS feed

  • Question

  • Hi,

    I was wondering if someone could point me in the right direction.

    I have recently migrated our ca server from 2008 to 2016.

    The root certificate has a validity period of 999 years. I would like to update this to something more reasoanble. I have created the file CAPolicy.inf and placed it in the c:\windows folder and then restarted the certificate service.

    Upon generating a new root certificate, the validity period is still set to 999 years. I have also searched through the registry for the setting but with no luck.

    Is there another place I should be looking at to update the time period?

    Thanks

    Pete

    Wednesday, May 1, 2019 2:28 PM

All replies

  • The validity period for the root certificate is set at the time you install the Root CA. A setting of 999 years just makes it a very long validity. Usually the the validity period of the root is determined by calculating the designed validity periods in the design of other parts of the PKI, such as templates, Issuing and Policy CAs. The design should also include protections of the private key and disaster recovery, of course. 

    To change the validity period for a root certificate you'll need to reinstall the root CA and configure it then, preferably with a well thought-out plan.

    hth, 

    Bill


    Wednesday, May 1, 2019 3:06 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    We can refer to the article CA Validity Period Extension and CA Certificate Renewal Process.

    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 2, 2019 8:02 AM
    Moderator
  • Hi Bill,

    Thank you for your reply.

    If I reinstall the CA with a lower validity period, I presume I would need to regenerate my internal certificates again?

    Thanks

    Pete

    Thursday, May 2, 2019 4:18 PM
  • Yes - you'd set the validity period at the install. You'd then want to reissue to your Issuing CA(s). See the documentation to adapt to your situation where you are removing only the Root CA. 

    How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects

    This way, you'll reissue all new certificates and then remove the old CA properly.

    But, to be clear, all of this is not so necessary immediately since the VP is still a very long way out. You can take time to design your PKI per your organizational needs. 20 years for the Root CA is sufficient with 10 years (one-half) configured for certs issued to subordinate CAs.



    Regards,

      Bill

    Bill Stites - PKI Consultant

    Bill Stites, PKI Consultant , started in PKI at Providence Health & Services
    in the Pacific Northwest in 2006. He has since consulted in the design and implementation of PKIs
    and certificate management systems in retail, government and insurance organizations.
     

    Thursday, May 2, 2019 6:18 PM
  • Hi Bill,

    Thanks again for the reply and the link.

    The issue we are seeing is that because the root ca is set to 999 years, there is a cisco bug documented here: https://quickview.cloudapps.cisco.com/quickview/bug/CSCsc45595 that is caused because the certificate expiration date is beyond the year 2038.

    Also, if I follow the link you sent me, will existing certificates still work or will they need to be reissued straight away to prevent any certificate errors?

    Thanks

    Pete


    • Edited by pete2000 Friday, May 3, 2019 10:36 AM
    Friday, May 3, 2019 9:09 AM
  • Hi,
    From the information mentioned by Bill - You'd then want to reissue to your Issuing CA(s), all existing certificates will not work and we will need to reissue certificates.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 24, 2019 6:22 AM
    Moderator