W2K8 PKI - Extend Subordinate CA Lifetime

Posted on 2009-04-22
Last Modified: 2013-12-04
i have installed a W2k8 Offline Root CA and want now to install a online issuing ca.
How can i take influence on the lifetime of the issuing ca. The problem is that the Offline Root CA does force a lifetime from 1 Year...but i need a longer one.
I've seen several articels about modifying the RenewalValidityPeriod in the CAPolicy.inf located on the system root - but i cannot find this file.

So what can i do now?

Question by:merowinger
    LVL 31

    Accepted Solution

    I found articles were the solution was to create a CAPolicy.inf file befor installing the subordinate ca ( but this does not work for me.
    Now i found an articel which finally solved it:
    It describes, that those changes must be made in the registry of the root ca...
    So i changed the value of the keyValidityPeriodUnits under
    \Configuration\ to my needed one and now it works.

    Hope this articel will help other people :)
    LVL 31

    Expert Comment

    If the root forces a one year maximum lifetime, then you need to change that.

    The CAPolicy.inf file is something that you create in notepad and save in your system directory (c:\windows), then that will be used when you create or renew your CA cert.  Essentially, this file is used to set certain registry keys - you could just set those keys manually instead of using the .inf file - its a preference thing in most cases.  If you take the name of the string or DWORD that will generally be the value for the capolicy.inf file, for example:

    All windows servers, regardless of version, will start the .inf file with:
    Signature= "$Windows NT$"

    Then there will be other categories specified as desired, most standard things will fall under [Certsrv_Server] such as the above examples about the validity period.  Anything you don't specify will remain unchanged from the default or existing (if defaults were already modified) settings.

    Also keep in mind that no certificate that  a CA issues can have a validity period past its own lifetime.  For example, if your root CA's cert is good for a year and half, then if you set up your sub CA to be valid for 5 years, it will be truncated down to 1.5 years, same for all certs issued from that sub CA.  A shorter period based on policy.inf file or certificate template will be enforced, but a longer period is restricted by the maximum lifetime allowed by the CA and the CA certificate.  The way to work around that would be to renew the root certificate so it is now valid for another 10 years so your sub CA can be valid for 5.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why do Marketing keep bothering you?

    Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now