How do I change the expiration time on a user certificate that I have created in windows server 2003?

I am trying to figure out how to change the certificate period from the default of 1 year to something like 3-5 years on a user cert, we don't want to reissue certs every year for every user that is going to have one.
Is there a way to change the validity period from 1 year to 3 years?
Please let me know.

Thanks,
MGS-TECHAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
A few things to check here - each are necessary.

1) If you are running an Enterprise CA that is using templates, open Certificate Templates MMC - open up properties of the template - on the default General tab, the Validity Period should be configured as desired.  The Renewal Period is the period of time prior to expiration that the cert will be valid for renewal (mainly used for autoenrollment renewals).  Repeat for all desired templates.

2) Your CA must be set to issue certs for the necessary period of time.
This will tell you the existing settings. On the CA, run this from cmd:
certutil -getreg ca\ValidityPeriod
certutil -getreg ca\ValidityPeriodUnits

To change:
certutil -setreg ca\ValidityPeriod Years
certutil -setreg ca\ValidityPeriodUnits 5
net stop certsvc
net start certsvc

Alternatively, follow this to directly modify the registry, same thing though.
http://support.microsoft.com/kb/254632/

3) Your CA certs must be valid for a long enough period of time.  A CA cannot issue a cert with a validity period past its own cert, e.g. if your CA has a 5 year cert and you are on year 4 (1 year left) and you issue a 2 year cert, it will only be valid for 1 year (expiring at the same time as the CA cert).  Due to this, it is common practice to set end entity certs to be 1/2 the lifetime of the CA cert, or less.  Then when the 1/2 point has come, you renew the CA cert.

In your case, you may wish to extend the lifetime of the CA cert and reissue so it is valid for 10 years instead of 5.  You probably want to renew your CA cert reusing the same keypair to make things easier - if you want to use a new key pair, research this or ask first.

1st things first, on each CA.
- Certification Authorities MMC (CA MMC) - right click CAName - All Tasks - Backup CA.  Follow the wizard and select CA private key and CA database, do not select incremental.
- publish a new CRL from each CA and deploy to CDPs.  Since you're running a CA already I'm assuming you know how to do this primary task, if not then see if there is an existing script (scheduled tasks) that can be run, else just ask.
- full system backup include system state.

certutil -renewCert Reusekeys
-OR-
Open CA MMC and right click CAName - All Tasks - Submit new request... and save the .req file.

Both methods: have the root sign the request to issue the signed cert, then either:
certutil -installcert filename.crt
-OR-
CA MMC - rightlick CAName - All Tasks - Install certificate

net stop certsvc
net start certsvc

Hopefully this is a two tier PKI, if so then do this on the root first so its lifetime is longer than the sub CA.  With the root, you may want to set its lifetime to 20 years, then reset it to 10 years when you issue the sub CA cert, so your sub CA can issue 5 year certs.  Then you can renew your sub every 5 years and root every 10.  Otherwise you can have both valid for 10 years and just renew both at the same time every 5 years (root first).
0
MGS-TECHAuthor Commented:
For whatever reason I cant change the validity period in the Certificate Templates GUI. The option is greyed out. Also, if I revoke all of my certificates in the current CA including domain controller certificates, what is this really going to effect. Thanks for the prompt response.

0
ParanormasticCryptographic EngineerCommented:
Sorry for the delay getting back on this.  If you reuse the same keyset you shouldn't have to reissue certs for all your clients until their normal expiration date.  Otherwise, you will need to reissue them all.

The biggest ones are going to be the domain controller certs and the web server certs, and smartcards if you use them - the latter two because they will be more manual process.

For the DC certs, after you issue the new cert to it, you will need to bounce the DC to start using the new cert instead of the old one from cache.  Can also use the command 'certutil -dcinfo deletebad' before bouncing to give the best chance.  To push autoenrollment, from the client issue 'certutil -pulse'

If I didn't mention before, you will also need to redistribute the new root cert - GPO is the easiest way for most.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ParanormasticCryptographic EngineerCommented:
If the options are greyed out then is a permissions issue.  Open the CA MMC and open the properties of CAName and go to Security tab.  Look for who has allow permissions for 'manage CA' - usually this will be various admin groups.  Make sure  you are using an account with the correct permissions.  Note that if you change permissions, it may take a few minutes for any changes to replicate in AD.  Also make sure there aren't any groups that are denied.

The other possibility if everything looks good would be if the CA has role separation enabled.  This isn't common, but it happens sometimes.  On the CA itself, open cmd and run 'certutil -getreg ca\RoleSeparationEnabled'  -- if returns 0 or cannot find key then it isn't enabled, if it returns 1 then it is enabled.  If it is enabled, let me know and we can go from there - do not disable it - it may be enabled by a specific PKI team that may get angry if you disable it without their permission.
0
MGS-TECHAuthor Commented:
I have checked the permissions on the CA and I already have permission to the User Cert Template. Is it greyed out because the check mark on the User Cert Template is checked for Publish certificate in Active Directory?

0
ParanormasticCryptographic EngineerCommented:
Try duplicating the template and change the validity period on the duplicate template (and anything else you wanted to change).
0
MGS-TECHAuthor Commented:
Not to get off topic at all here, but I think I have a big problem. I uninstalled my root CA and decommisioned it. I then realize I shouldn't have done that and tried to do a restore after the reinstall of certificate services. It looks like it is now back up and running, however when I go into the CA manager, under failed requests i have a The requested certificate is revoked. 0x80092010 (-2148685616) error. Please help
0
MGS-TECHAuthor Commented:
Also, Under all the certificates under Issued Certificates, They all show they aren't going to expire until 2010 but when I click on any of them, it says "This certificate has been revoked by its certification authority"

0
MGS-TECHAuthor Commented:
Now I have another problem. When I open up the Enterpise PKI Tool, I have many errors.
Please let me know what I can do to troubleshoot the issues.
Attached are the print screen of my errors.
Please help, I am up a creek with out this stuff working
Thanks,

pki1.JPG
pki2.JPG
0
ParanormasticCryptographic EngineerCommented:
Wow..  sorry for the delay getting back on this one!

Do you have a full system state backup of the root from prior to revocation?  If so, restore that.

Alternatively, if you backup the CA database you can try restoring that - this would be done either through the CA MMC using the Backup CA option or from cmd 'certutil -backupdb PATH' - this may have been set up as a .bat file runnning as a scheduled task, but unfortunately this usually gets overlooked.

If you have a previous copy of the CRL file you can re-sign it while we troubleshoot further:
copy old CRL that did not have any revocations for the issuing ca or itself and issue the cmd:
certutil -sign CRLFILE.crl 30:0
This will re-sign the crl file and assign a validity of 30 days:0 hours (adjust as desired).

Rename the newly signed CRL file to match the original exactly - including case sensitivity.  Then copy this newly signed CRL file out to all the CDP locations.
0
ParanormasticCryptographic EngineerCommented:
Note for previous copies of your CRL - check backups of the servers that host the CDP locations ;)
0
ParanormasticCryptographic EngineerCommented:
the CRL re-sign above should get you back to operational for now - I will try to check back before i head out in about 2 hours.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.