Error Constructing or Publishing Certificate


  • Hi,

    I wanted to issue user certificate from CA and got error:

    Error Constructing or Publishing Certificate The certificate validity period will be shorter than the User Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period

    We use online ent CA, how to solve this issue? Will it help if I change "ValidityPeriodUnits" in registry?


    lunes, 09 de mayo de 2011 12:06


Todas las respuestas

  • please show us the output of the following commands:

    certutil -getreg ca\validityperiodunits
    certutil -getreg ca\validityperiod

    And what is validity period of the certificate template?

    My weblog:
    PowerShell PKI Module:
    lunes, 09 de mayo de 2011 12:14
  • ValidityPeriodUnits REG_DWORD = 2
    CertUtil: -getreg command completed successfully.

    ValidityPeriod REG_SZ = Years
    CertUtil: -getreg command completed successfully.

    Validity period of the certificate template is 1 year.  But on "Enterprise KPI" I see CA Certificate expiration date 2012.02.01, so it is less then in 1 year, maybe that's why I got this error.

    Is any way to change expiration date?


    lunes, 09 de mayo de 2011 13:42
  • Yes, that is why you got the error.  Three things determine the validity period of an issued certificate:

    1. The validity period of the CA's certificate

    2. The ValidityPeriodUnits and ValidityPeriod reg keys

    3. The template itself

    If the CA certificate is due to expire next month, then no certificates can be issued that are valid longer than one month.  So, in your case your CA's certificate expires in less than one year, so no certificate can be issued with a validity period greater than 2012.02.01.

    In order to resolve this, you need to renew the CA's certificate:

    Creating a Certificate Renewal Strategy

    Renew a subordinate certification authority
    lunes, 09 de mayo de 2011 15:02
  • Hi

    if I have an offline root CA, and I install a subordinate enterpise CA, to ensure that the cert issued to CA sub enterprise is valid for 10 years, should I modify the registry or modify the capolicy.inf? wich is the best way to do it? Thanks

    miércoles, 27 de enero de 2016 19:53
  • You are setting the validity period for issued certificates. This is set in the registry of the root CA

    certutil -setreg CA\ValidityPeriodUnits 10

    Certitul -setreg CA\ValidityPeriod "Years"

    net stop certsvc && net start certsvc

    The CAPolicy.inf defines the root CA's own validity period, not for the certificate issued *by* the root CA


    P.S. This question has nothing to do with this thread. Next time I recommend starting a new thread

    miércoles, 27 de enero de 2016 20:13