W2K8 PKI - Extend Subordinate CA Lifetime

Posted on 2009-04-22
Medium Priority
Last Modified: 2013-12-04
i have installed a W2k8 Offline Root CA and want now to install a online issuing ca.
How can i take influence on the lifetime of the issuing ca. The problem is that the Offline Root CA does force a lifetime from 1 Year...but i need a longer one.
I've seen several articels about modifying the RenewalValidityPeriod in the CAPolicy.inf located on the system root - but i cannot find this file.

So what can i do now?

Question by:merowinger
LVL 31

Accepted Solution

merowinger earned 0 total points
ID: 24205815
I found articles were the solution was to create a CAPolicy.inf file befor installing the subordinate ca (http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html) but this does not work for me.
Now i found an articel which finally solved it:
It describes, that those changes must be made in the registry of the root ca...
So i changed the value of the keyValidityPeriodUnits under
\Configuration\ to my needed one and now it works.

Hope this articel will help other people :)
LVL 31

Expert Comment

ID: 24205905
If the root forces a one year maximum lifetime, then you need to change that.

The CAPolicy.inf file is something that you create in notepad and save in your system directory (c:\windows), then that will be used when you create or renew your CA cert.  Essentially, this file is used to set certain registry keys - you could just set those keys manually instead of using the .inf file - its a preference thing in most cases.  If you take the name of the string or DWORD that will generally be the value for the capolicy.inf file, for example:

All windows servers, regardless of version, will start the .inf file with:
Signature= "$Windows NT$"

Then there will be other categories specified as desired, most standard things will fall under [Certsrv_Server] such as the above examples about the validity period.  Anything you don't specify will remain unchanged from the default or existing (if defaults were already modified) settings.

Also keep in mind that no certificate that  a CA issues can have a validity period past its own lifetime.  For example, if your root CA's cert is good for a year and half, then if you set up your sub CA to be valid for 5 years, it will be truncated down to 1.5 years, same for all certs issued from that sub CA.  A shorter period based on policy.inf file or certificate template will be enforced, but a longer period is restricted by the maximum lifetime allowed by the CA and the CA certificate.  The way to work around that would be to renew the root certificate so it is now valid for another 10 years so your sub CA can be valid for 5.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question