Extend Windows root CA

I have been practicing to extend the valid period of both root CA and user and computer  certificates in our lab before working on the production server..
I was following the link below.
http://powershell365.com/2016/03/17/extend-default-certificate-expire-date-windows-ca/ and few EE articles. I still have few questions since I am new to this.
 I got a new cert (see the picture), that is, there is an old and new certificate for root CA (certificate#0 and certificate#1).
The old certificate was imported via GPO to cert trusted store before so the computers trust the CA but it is going to expire soon,
1. How do i push this new cert to the PC's trusted root certificate  store
2 Do i have to create new cert for users and computer after this?
or Am I doing wrong?

CA
LVL 2
sara2000Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
1 you can use Group policy to push new root CA cert on client computers
 policy should be applied to domain level
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy
OR
https://docs.centrify.com/en/css/2017.2-html/index.html#page/Additional_tools_and_topics/Adding_a_trusted_root_certificate_to_the_group_p.4.html

2 the answer of this question depends on how you renewed root cert?
If you selected use existing private key pair during renewal, you don't need to reissue the certs for users and computers
https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx
0
sara2000Author Commented:
"2 the answer of this question depends on how you renewed root cert?
 If you selected use existing private key pair during renewal, you don't need to reissue the certs for users and computers"
I did use existing key pair, in the picture above I have certificate #1, is it normal? Do I still have to import that cert#1 ?
Will user's personal cert will have new expire date?
0
MaheshArchitectCommented:
The certificate #1 is normal
You have increased certificate validity period and after that you have renewed cert, so it's perfect
The old cert still remains valid until it expires
The new client certificates you issue after renewal will look at cert #1 as there root certificate and hence you need to publish new cert as well
client certs which already issued, nothing will change in those certs
If you set registry to increase client certs validity, whenever ca issue new certs you will notice increase in their expiration period
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

sara2000Author Commented:
Sorry for my confusion!
"
"The new client certificates you issue after renewal will look at cert #1 as there root certificate and hence you need to publish new cert as well"
Is this one we go into manage template and change the validity period? or Duplicate it from the old and extend the validity period?
0
MaheshArchitectCommented:
NP
Yes,
You should go to template properties and extend validity period
OR
You could duplicate new template from old one, that is always an option if above did not work
0
sara2000Author Commented:
Will the CApolicy.inf file alter the regkey? or I still have to change the regkey?
You would not mind to put the parameters/regkey which I have to take care?
0
MaheshArchitectCommented:
CAPolicy.inf will simply extend CA certificate expiry date when you renew it

Registry will be added when you run commands mentioned in article
Setreg commands i am talking about
Those r already there in article u posted in question
0
MaheshArchitectCommented:
The purpose of running commands is to allow ca to issue new certs with validity period defined in command
0
sara2000Author Commented:
"The purpose of running commands is to allow ca to issue new certs with validity period defined in command"
Which command ?
0
MaheshArchitectCommented:
#Existing Validity Period configured
certutil -getreg ca\ValidityPeriod

Open in new window

#Existing Validity period configured is year. Default is 2 years
certutil -getreg ca\ValidityPeriodUnits

Open in new window

#Extend the Validity perfoid to 5 years
certutil -setreg ca\ValidityPeriodUnits 5

Open in new window

#Restart the Certificate Services
Restart-Services –name certsvc

Open in new window


These are the commands you need to run on CA server from elevated cmd, this will allow you to issue certificates with 5 years validity
I have assumed that you already created Capolicy.inf on root CA and extended CA certificate validity, then only above commands will help
0
sara2000Author Commented:
Here is my confusion,
We create CApolicy.inf file to extend the valid period. My guess is that it will increase the CA root cert valid period so PCs and Servers can trust the existing/renewed root cert since they have it in the trusted root store. The issued templates will chain the valid period from the CA root cert ?
What the CAPolicy.inf does compare to the above command s?
0
MaheshArchitectCommented:
As long as you renewed root cert with existing key pair, template will locate / chain renewed certificate as root cert for issued certificates

Capolicy.inf ensures that CA root certificate validity / expiration date will be increased and command ensured that issued certificates validity will get increased, otherwise you might set template validity for 5 years, but validity period set in registry (setreg command) is one or two years by default, and hence whenever you issue new cert with template having validity of 5 years, CA still issue certificate with 1 or two years only depending upon what you set in registry and hence you increase registry value to 5 years by running setreg command
CA will issue certificate with expiration period which is least of below
CA cert expiration period
Validity years set in registry
Validity set in template

Ex:
You install root CA five years ago with say 5 years validity and you have template with say 4 years validity, now all your templates can issue certs with validity of maximum one or two years which is set in registry (which is minimum period)
Now you increase CA validity period in registry to say 4 years and If you create new template with 4 years validity after two year from CA installation, you actually get 3 effective years and certs issued by this template will get expired after 3 years though it set as 4 years in template properties. The reason is CA certificate itself will be expired after 3 years
Now In Capolicy.inf you did CA validity to 20 Years and hence your CA cert is valid for next 15 years from today provided that you use existing key pair to renew CA cert. Existing key will retain certificate private key original generation date and add +20 years there
(If you generate new key pair during renewal, CA will generate new root cert with next 20 years validity from today)
Once you increased CA expiration period by above (Capolicy.inf) method, you will issue commands (setreg) to increase validity period in registry to say 5 years, now when you create template with 5 years validity period, indeed issued certificate will have 5 years expiry
I hope this will explain from base

Check:
https://support.microsoft.com/en-in/help/254632/how-to-change-the-expiration-date-of-certificates-that-are-issued-by-a
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sara2000Author Commented:
If I do the followings
1. Update CAPolicy.inf to validation period 10 years.
2. Apply commands to make 5 years.
3 Create new template for 5 years and allow "read"."autoenroll" permissions .
6. Issue this template .
Then PCs will have new cert.
I will not get a new cert for 5 years If i do not create new template and issue the template. That is, old template is not going to be effective after initial setting for 2 years even if i change the valid period from 2 years to 5 years. Am I correct on the above?
0
MaheshArchitectCommented:
what is the validity of old template?
is it 5 years or 2 years?

If its two years, you need new template with 5 years validity
If its already  5years, no need to issue new template
0
sara2000Author Commented:
It is five years.
So I only sneed
CAPolicy.inf and the commands, so the cert will be renewed after 5 years. Is it correct?
0
MaheshArchitectCommented:
YES, Perfectly fine
0
MaheshArchitectCommented:
Hi Sara,
I hope question is resolved now
Can u pl close so that I don't need to close forcefully
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Public Key Infrastructure (PKI)

From novice to tech pro — start learning today.