Microsoft CA certificate templates expires sooner than expected

Question

The certificates my Microsoft CA is generating do not match the time period indicated in the template used. How can I resolve this?

I recently created a new certificate template for use on my Linux boxes on my Microsoft CA (2008 R2 Enterprise). This template is approved for server and client authentication purposes with a validity period of 10 years - the expected lifetime of our Linux boxes - and the subject name supplied in the request. I have checked both the intermediate and offline CA - both have more than 10 years of life listed. The certificates are exactly two years.

Is there some kind of hard limit I'm hitting here?

What validity lifetime are they getting instead of 10 years? — Shane Madden, Sep 20 '12 at 23:49

score 8 · Accepted Answer · edited Sep 21 '12 at 12:59

8

By default ADCS is set to issue certs for a maximum of 2 years (regardless of template or request).
To change that just run the following two commands (modify as desired):

certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\ValidityPeriodUnits 10

Then restart certificate services:

net stop  certsvc
net start certsvc

edited Sep 21 '12 at 12:59

Tim Brigham

15,465
7
72
113

answered Sep 21 '12 at 01:38

Chris S

77,337
11
120
212

Ugh.. thanks. Did that on the offline CA but likely forgot it on the intermediate. – Tim Brigham Sep 21 '12 at 01:52

Microsoft CA certificate templates expires sooner than expected

1 Answers1