W2K8 PKI - Extend Subordinate CA Lifetime
Hi,
i have installed a W2k8 Offline Root CA and want now to install a online issuing ca.
How can i take influence on the lifetime of the issuing ca. The problem is that the Offline Root CA does force a lifetime from 1 Year...but i need a longer one.
I've seen several articels about modifying the RenewalValidityPeriod in the CAPolicy.inf located on the system root - but i cannot find this file.
So what can i do now?
thanks
i have installed a W2k8 Offline Root CA and want now to install a online issuing ca.
How can i take influence on the lifetime of the issuing ca. The problem is that the Offline Root CA does force a lifetime from 1 Year...but i need a longer one.
I've seen several articels about modifying the RenewalValidityPeriod in the CAPolicy.inf located on the system root - but i cannot find this file.
So what can i do now?
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://technet.microsoft.com/en-us/library/cc962064.aspx
http://technet.microsoft.com/en-us/library/cc728279.aspx
The CAPolicy.inf file is something that you create in notepad and save in your system directory (c:\windows), then that will be used when you create or renew your CA cert. Essentially, this file is used to set certain registry keys - you could just set those keys manually instead of using the .inf file - its a preference thing in most cases. If you take the name of the string or DWORD that will generally be the value for the capolicy.inf file, for example:
ValidityPeriod="Years"
ValidityPeriodUnits="5"
All windows servers, regardless of version, will start the .inf file with:
[Version]
Signature= "$Windows NT$"
Then there will be other categories specified as desired, most standard things will fall under [Certsrv_Server] such as the above examples about the validity period. Anything you don't specify will remain unchanged from the default or existing (if defaults were already modified) settings.
Also keep in mind that no certificate that a CA issues can have a validity period past its own lifetime. For example, if your root CA's cert is good for a year and half, then if you set up your sub CA to be valid for 5 years, it will be truncated down to 1.5 years, same for all certs issued from that sub CA. A shorter period based on policy.inf file or certificate template will be enforced, but a longer period is restricted by the maximum lifetime allowed by the CA and the CA certificate. The way to work around that would be to renew the root certificate so it is now valid for another 10 years so your sub CA can be valid for 5.