Extend Windows CA valid period

My client has installed  a Enterprise certificate few months  ago and let the  CA's vilid period to be 3 years in the installation. I noticed the template's valid period was set or defaulted to three years. Then a  certificate was duplicated from that template for servers and PCs. Also GPO was  configured  to auto-enroll.
My understanding is that cert is being issued to PCs and servers  and will be replaced after three years when the cert expires, and also if i install a new server today and that server will get cert to cover three years from today, I might be wrong to assume that. Not sure what that CA valid period is doing here and what the template expire date?
Experts out there,
1. If CA's valid period and template expire/valid period are same then How do I extend the CA's valid period to 5 or six years?
2. Does the CA get the same certificate as rest of the servers and PC, that is, the root certificate is same as the rest of the servers?
I would appreciate if you shed light on these.
LVL 2
sara2000Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
The validity period of any certificate generated by a Windows CA is the lesser of these three values
The remaining lifetime of the root CA server
The value specified in the certificate template
The value specified in the CA server registry (default is 2 years)
Which ever is far less will take precedence and applied on actual cert issued
You can increase root ca certificate validity by adding capolicy.inf file with greater value and then renew ca certificate by keeping same key pair
After that tell ca to allow issuance of certificate templates with more time period by setting up registry
http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html?m=1
AND
http://powershell365.com/2016/03/17/extend-default-certificate-expire-date-windows-ca/
sara2000Author Commented:
Mahesh, Thank you for the reply, sorry for my ignorance.
I do not see CApolict.inf file in the system, can i add that file now? if so what is the procedure?
.
MaheshArchitectCommented:
just follow steps mentioned in 2nd blog entry I posted
Yes, you need to create capolicy.inf file with required parameters and renew CA cert while keeping same private key

after that make changes to registry so that new certs templates can be created with longer expiry duration and also can issue new certs with longer duration
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

sara2000Author Commented:
after that make changes to registry so that new certs templates can be created with longer expiry duration and also can issue new certs with longer duration
So we have to issue new cert after performing above action, the current cert will not b extended for client?
MaheshArchitectCommented:
yes, that's right
Once certificate issued, you cannot make any changes to issued cert, you must renew existing cert or request new cert
sara2000Author Commented:
Do we have to manually issue the cert If GPO configured to auto-enroll?
MaheshArchitectCommented:
No, you don't

When you configure GPO for auto enrollment, you also need to set certificate template properties permissions to allow Autoenroll
sara2000Author Commented:
If i understood correctly. These are the steps.
1. Create a CApolicy.inf file
2. Go into template and duplicate a template and ste that new cert for  for 5 years.
3. set the properties to auto-enroll and give permission etc.
4 New certificate will be issued to servers and PC via GP.
or Do Steps 1-2 above and on an exiting certificate's properties extended the valid period from 2 to 5 years. The GPO will replace the old cert with extended period cert.

Am i correct on those? Sorry for my lack of understanding I never done .
MaheshArchitectCommented:
After 1st step you need to renew existing ca certificate while keeping same private key
After that rest of the steps are correct
U have then option either renew existing cert or request new cert with gpo

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.