• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 709
  • Last Modified:

X509 Certificate Expiry

Hi,

I have an application that uses XEnroll lib to create certificate signing request then sign the certificate by our CA so that I can export it to another application.

My question: is it possible to set the expiry date of these certificates programatically using xenroll or anything else for that matter?

I have searched the forums without success and I have investigated the documentation on xenroll (such that it is) and have found no answers.

I know it is possible to set the expiry date if you manually create a certificate so it stands to reason that you should be able to do programatically.

Any help appreciated.

JC
0
JesusHatesMe
Asked:
JesusHatesMe
  • 4
1 Solution
 
JesusHatesMeAuthor Commented:
NeverMind I have discover that you can get access to the validto property through CAPICOM dll

 Thanks!

: )
0
 
JesusHatesMeAuthor Commented:
Correction it's not possible to alter the valid to date after the certificate has been signed by the CA.

It must be done at the certificate request stage I guess...

Any Ideas?
0
 
JesusHatesMeAuthor Commented:
Ok I've worked it out finally after scouring the net.

The certificate expiry is set when the CA signs the certificate. You have two options when setting validity period of the certificate:

1) set the default by changing the reg key on the CA server (note that this will affect all certificates signed by this CA)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

In the right pane, double-click ValidityPeriod.
      In the Value data box, type one of the following, and then click OK:
•      Days
•      Weeks
•      Months
•      Years

2) set the validity period on a certificate by certificate basis by setting the reg key on the CA server

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE

Then on the ICertRequest::Submit interface we can add the attribute "ValidityPeriod:Days\nValidityPeriodUnits:90"

Days, Weeks, Months, Years are allowed
For Example in C#

public static string SignCertificateRequest(string inCSR, string inServer, string inAuthority, string sValidityPeriodInDays, out SigningResult result)
            {
                  result = SigningResult.Incomplete;
                  string strCert = null;

                  // we should be able to create a PKCS10 object somehow, and check that it is
                  // has some extra attributes for us...

                  ICertRequest certRequest = NewCertRequestFromType;
                  string attributes = "ValidityPeriod:Days\nValidityPeriodUnits:" + sValidityPeriodInDays;
                  string config = string.Format(@"{0}\{1}", inServer, inAuthority);
                  result = (SigningResult) certRequest.Submit(((int) CSREncodingFormat.Base64 | (int) CertificateFormat.PKCS10), inCSR, attributes, config);
                  if (result == SigningResult.Issued)
                  {
                        strCert = certRequest.GetCertificate((int) CSREncodingFormat.Base64Header);
                  }
                  return strCert;
            }
Cheers JC


0
 
JesusHatesMeAuthor Commented:
0
 
GranModCommented:
Closed, 250 points refunded.

GranMod
The Experts Exchange
Community Support Moderator of all Ages
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now