• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 709
  • Last Modified:

X509 Certificate Expiry


I have an application that uses XEnroll lib to create certificate signing request then sign the certificate by our CA so that I can export it to another application.

My question: is it possible to set the expiry date of these certificates programatically using xenroll or anything else for that matter?

I have searched the forums without success and I have investigated the documentation on xenroll (such that it is) and have found no answers.

I know it is possible to set the expiry date if you manually create a certificate so it stands to reason that you should be able to do programatically.

Any help appreciated.

  • 4
1 Solution
JesusHatesMeAuthor Commented:
NeverMind I have discover that you can get access to the validto property through CAPICOM dll


: )
JesusHatesMeAuthor Commented:
Correction it's not possible to alter the valid to date after the certificate has been signed by the CA.

It must be done at the certificate request stage I guess...

Any Ideas?
JesusHatesMeAuthor Commented:
Ok I've worked it out finally after scouring the net.

The certificate expiry is set when the CA signs the certificate. You have two options when setting validity period of the certificate:

1) set the default by changing the reg key on the CA server (note that this will affect all certificates signed by this CA)


In the right pane, double-click ValidityPeriod.
      In the Value data box, type one of the following, and then click OK:
•      Days
•      Weeks
•      Months
•      Years

2) set the validity period on a certificate by certificate basis by setting the reg key on the CA server

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE

Then on the ICertRequest::Submit interface we can add the attribute "ValidityPeriod:Days\nValidityPeriodUnits:90"

Days, Weeks, Months, Years are allowed
For Example in C#

public static string SignCertificateRequest(string inCSR, string inServer, string inAuthority, string sValidityPeriodInDays, out SigningResult result)
                  result = SigningResult.Incomplete;
                  string strCert = null;

                  // we should be able to create a PKCS10 object somehow, and check that it is
                  // has some extra attributes for us...

                  ICertRequest certRequest = NewCertRequestFromType;
                  string attributes = "ValidityPeriod:Days\nValidityPeriodUnits:" + sValidityPeriodInDays;
                  string config = string.Format(@"{0}\{1}", inServer, inAuthority);
                  result = (SigningResult) certRequest.Submit(((int) CSREncodingFormat.Base64 | (int) CertificateFormat.PKCS10), inCSR, attributes, config);
                  if (result == SigningResult.Issued)
                        strCert = certRequest.GetCertificate((int) CSREncodingFormat.Base64Header);
                  return strCert;
Cheers JC

JesusHatesMeAuthor Commented:
Closed, 250 points refunded.

The Experts Exchange
Community Support Moderator of all Ages

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now