X509 Certificate Expiry

Posted on 2006-05-16
Last Modified: 2010-08-05

I have an application that uses XEnroll lib to create certificate signing request then sign the certificate by our CA so that I can export it to another application.

My question: is it possible to set the expiry date of these certificates programatically using xenroll or anything else for that matter?

I have searched the forums without success and I have investigated the documentation on xenroll (such that it is) and have found no answers.

I know it is possible to set the expiry date if you manually create a certificate so it stands to reason that you should be able to do programatically.

Any help appreciated.

Question by:JesusHatesMe

    Author Comment

    NeverMind I have discover that you can get access to the validto property through CAPICOM dll


    : )

    Author Comment

    Correction it's not possible to alter the valid to date after the certificate has been signed by the CA.

    It must be done at the certificate request stage I guess...

    Any Ideas?

    Author Comment

    Ok I've worked it out finally after scouring the net.

    The certificate expiry is set when the CA signs the certificate. You have two options when setting validity period of the certificate:

    1) set the default by changing the reg key on the CA server (note that this will affect all certificates signed by this CA)


    In the right pane, double-click ValidityPeriod.
          In the Value data box, type one of the following, and then click OK:
    •      Days
    •      Weeks
    •      Months
    •      Years

    2) set the validity period on a certificate by certificate basis by setting the reg key on the CA server

    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE

    Then on the ICertRequest::Submit interface we can add the attribute "ValidityPeriod:Days\nValidityPeriodUnits:90"

    Days, Weeks, Months, Years are allowed
    For Example in C#

    public static string SignCertificateRequest(string inCSR, string inServer, string inAuthority, string sValidityPeriodInDays, out SigningResult result)
                      result = SigningResult.Incomplete;
                      string strCert = null;

                      // we should be able to create a PKCS10 object somehow, and check that it is
                      // has some extra attributes for us...

                      ICertRequest certRequest = NewCertRequestFromType;
                      string attributes = "ValidityPeriod:Days\nValidityPeriodUnits:" + sValidityPeriodInDays;
                      string config = string.Format(@"{0}\{1}", inServer, inAuthority);
                      result = (SigningResult) certRequest.Submit(((int) CSREncodingFormat.Base64 | (int) CertificateFormat.PKCS10), inCSR, attributes, config);
                      if (result == SigningResult.Issued)
                            strCert = certRequest.GetCertificate((int) CSREncodingFormat.Base64Header);
                      return strCert;
    Cheers JC


    Author Comment


    Accepted Solution

    Closed, 250 points refunded.

    The Experts Exchange
    Community Support Moderator of all Ages

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Course: HTML5 Specialist

    HTML5 development skills are critical to all developers. HTML5 is the foundation to almost any development process. That's why business, design studios, development shops and other organizations need HTML5 developers. Get your foot in the door as a HTML5 specialist.

    Suggested Solutions

    Here we come across an interesting topic of coding guidelines while designing automation test scripts. The scope of this article will not be limited to QTP but to an overall extent of using VB Scripting for automation projects. Introduction Now…
    Since upgrading to Office 2013 or higher installing the Smart Indenter addin will fail. This article will explain how to install it so it will work regardless of the Office version installed.
    In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
    In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now