W2K8 PKI - Extend Subordinate CA Lifetime

Hi,
i have installed a W2k8 Offline Root CA and want now to install a online issuing ca.
How can i take influence on the lifetime of the issuing ca. The problem is that the Offline Root CA does force a lifetime from 1 Year...but i need a longer one.
I've seen several articels about modifying the RenewalValidityPeriod in the CAPolicy.inf located on the system root - but i cannot find this file.

So what can i do now?

thanks
LVL 31
merowingerAsked:
Who is Participating?
 
merowingerConnect With a Mentor Author Commented:
...Update:
I found articles were the solution was to create a CAPolicy.inf file befor installing the subordinate ca (http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html) but this does not work for me.
Now i found an articel which finally solved it:
http://technet.microsoft.com/en-us/library/cc962064.aspx
It describes, that those changes must be made in the registry of the root ca...
So i changed the value of the keyValidityPeriodUnits under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
\Configuration\ to my needed one and now it works.

Hope this articel will help other people :)
0
 
ParanormasticCryptographic EngineerCommented:
If the root forces a one year maximum lifetime, then you need to change that.
http://technet.microsoft.com/en-us/library/cc962064.aspx
http://technet.microsoft.com/en-us/library/cc728279.aspx

The CAPolicy.inf file is something that you create in notepad and save in your system directory (c:\windows), then that will be used when you create or renew your CA cert.  Essentially, this file is used to set certain registry keys - you could just set those keys manually instead of using the .inf file - its a preference thing in most cases.  If you take the name of the string or DWORD that will generally be the value for the capolicy.inf file, for example:
ValidityPeriod="Years"
ValidityPeriodUnits="5"

All windows servers, regardless of version, will start the .inf file with:
[Version]
Signature= "$Windows NT$"

Then there will be other categories specified as desired, most standard things will fall under [Certsrv_Server] such as the above examples about the validity period.  Anything you don't specify will remain unchanged from the default or existing (if defaults were already modified) settings.

Also keep in mind that no certificate that  a CA issues can have a validity period past its own lifetime.  For example, if your root CA's cert is good for a year and half, then if you set up your sub CA to be valid for 5 years, it will be truncated down to 1.5 years, same for all certs issued from that sub CA.  A shorter period based on policy.inf file or certificate template will be enforced, but a longer period is restricted by the maximum lifetime allowed by the CA and the CA certificate.  The way to work around that would be to renew the root certificate so it is now valid for another 10 years so your sub CA can be valid for 5.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.