Increasing length of validity of CA/SUBCA RRS feed

  • Question

  • After reading thread "RootCA and SubOrdinate CA validity period headache...", my question is after increasing the CA Cert validity, and modifying the SUBCA template to 5 or 6 years, what's the best renew methodology?

    Renew cert w/same key?  Renew cert w/new key? Renew new cert AND new key?


    Steve Mitchell

    Tuesday, March 6, 2018 6:42 PM

All replies

  • It is always a good security practice to have a new certificate with a new key. However, you can proceed with the other options. It always depends of your needs.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, March 6, 2018 8:11 PM
  • Thanks for the response.  Just verifying, I now find contradictions in the process itself.

    Some resources only state the change in registry settings, on the Standalone RootCA.

    Other resources state the change in registry settings on the Standalone RootCA, but in addition, they say that i have to renew the ROOT Cert to get the new validity length. If THIS one is accurate, in renewing the ROOT Cert itself, do I

    Renew cert w/same key? 

    Renew cert w/new key?

    Renew w/new cert AND new key?

    This a Production box, and I have no testing arena, so I'm trying to verify the exact procedure.  I forgot to mention that I can restore from a Snapshot.

    Thanks a bunch.

    Steve Mitchell

    • Edited by The_FNG Monday, March 12, 2018 5:42 PM
    Monday, March 12, 2018 4:28 PM
  • Hey folks - I appreciate all the help so far, but am really needing guidance here.  Anyone?


    Tuesday, March 13, 2018 10:11 AM
  • There is no need to renew the RootCA cert for the validity period to be reset. The change in validity period sets the validity of the SubCA that requests (with new key)the new cert from the RootCA. No need to configure any SubCA template.

    Just keep in mind you must keep the validity period less than the RootCA, preferably one-half.

    And also, you'll need to renew certs issued by the SubCA and, again, you should have the validity period on teh SubCA at 2, preferably. That way no certs can be issued with a lifetime greater than two. But that depends on your needs. But it can't be more than the Issuing CA.

    Change the validity to the number of years you want the SubCA cert to be valid for. (here I put 10)

                   Certutil -setreg CA\ValidityPeriodUnits 10

                   Certutil -setreg CA\ValidityPeriod “Years”

                    (restart CertSvc)  net stop certsvc && net start certsvc

    After this you should take a good reassessment of your PKI implementationand best practices.

    Hope this helps a little,


    Wednesday, March 14, 2018 9:10 PM