The validity period of any certificate generated by a Windows CA is the lesser of these three values:
- The remaining lifetime of the root CA server
- The value specified in the certificate template
- The value specified in the CA server registry (default is 2 years)
Increasing the CA Lifetime
Most root CAs are typically valid for 5 years. To increase the lifetime of the root CA, create or edit a text file in %SYSTEMROOT% called CAPolicy.inf with the following text:
[Version]Adjust the values above as needed, save the file, and restart the CertSrv service. Then renew the CA Certificate using the same public and private key pair.
Signature=”$Windows NT$”
[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
Warning: If you generate a new public and private key pair you will need to reissue all your old certificates, so don't do it unless that is your intent.
Setting the Maximum Validity Period in the Registry
The default certificate validity period configured in the CA's registry is 2 years. To view the current registry value, run the following commands from a CMD prompt on the CA:
certutil -getreg ca\ValidityPeriodTo configure the registry value to 5 years, run the following command from a CMD prompt on the CA:
certutil -getreg ca\ValidityPeriodUnits
certutil -setreg ca\ValidityPeriodUnits 5Adjust the value above, as needed. Then restart the CertSvc service to affect the changes.
Thanks for this tip. Could you advise how to reduce the validity of Root CA?
ReplyDeleteYou mean make it valid for a shorter duration? Just use the steps above and set it to "1". One year is the shortest duration available.
ReplyDeleteWorthy of a retweet today. :)
ReplyDelete