In order to create a certificate that is valid for longer than the default
validity period defined in the Windows Server CA templates, there are
three things which determine the validity period:
- The remaining lifetime of the issuing CA server
- The value specified in the certificate template
- The value specified in the CA server registry
The validity period of the certificate will be determined by the shortest
value of the three ?
Determining the lifetime for a CA server
The default Validity period of a CA server is 5 years, however if your stability
is more important to you than security ? set it to a longer period such as
ten or twenty years. Whatever value you choose, re-issue the CA certificate
about a year before it expires.
You can edit the templates available for your CA only if you have
Windows Server 2003 Enterprise Edition !!!
Always try to install your CA on this edition, just in case you?ll need to edit
the certificate templates at any later date ?
To manage the certificate template, open your CA server mmc and select
?Certificate Templates? ?> ?Manage?
You can then copy an existing template and edit its attributes.
CA registry values
In order to view your current registry settings use the following commands
in a CMD prompt:
certutil ?getreg cavalidityperiod
certutil ?getreg cavalidityperiodunits
These commands will show that your CA is using YEARS as its validity period
and 2 as its validity period units.
in order to change the validity period units use the following command:
certutil ?setreg cavalidityperiodunits n
(n represents value of the number of years you wish to set)
In order for the new setting to apply you must stop and start the CA service,
you can do so by the following commands:
net stop certsvc
net start certsvc