sara2000
asked on
Extend Windows root CA
I have been practicing to extend the valid period of both root CA and user and computer certificates in our lab before working on the production server..
I was following the link below.
http://powershell365.com/2016/03/17/extend-default-certificate-expire-date-windows-ca/ and few EE articles. I still have few questions since I am new to this.
I got a new cert (see the picture), that is, there is an old and new certificate for root CA (certificate#0 and certificate#1).
The old certificate was imported via GPO to cert trusted store before so the computers trust the CA but it is going to expire soon,
1. How do i push this new cert to the PC's trusted root certificate store
2 Do i have to create new cert for users and computer after this?
or Am I doing wrong?
I was following the link below.
http://powershell365.com/2016/03/17/extend-default-certificate-expire-date-windows-ca/ and few EE articles. I still have few questions since I am new to this.
I got a new cert (see the picture), that is, there is an old and new certificate for root CA (certificate#0 and certificate#1).
The old certificate was imported via GPO to cert trusted store before so the computers trust the CA but it is going to expire soon,
1. How do i push this new cert to the PC's trusted root certificate store
2 Do i have to create new cert for users and computer after this?
or Am I doing wrong?
ASKER
"2 the answer of this question depends on how you renewed root cert?
If you selected use existing private key pair during renewal, you don't need to reissue the certs for users and computers"
I did use existing key pair, in the picture above I have certificate #1, is it normal? Do I still have to import that cert#1 ?
Will user's personal cert will have new expire date?
If you selected use existing private key pair during renewal, you don't need to reissue the certs for users and computers"
I did use existing key pair, in the picture above I have certificate #1, is it normal? Do I still have to import that cert#1 ?
Will user's personal cert will have new expire date?
The certificate #1 is normal
You have increased certificate validity period and after that you have renewed cert, so it's perfect
The old cert still remains valid until it expires
The new client certificates you issue after renewal will look at cert #1 as there root certificate and hence you need to publish new cert as well
client certs which already issued, nothing will change in those certs
If you set registry to increase client certs validity, whenever ca issue new certs you will notice increase in their expiration period
You have increased certificate validity period and after that you have renewed cert, so it's perfect
The old cert still remains valid until it expires
The new client certificates you issue after renewal will look at cert #1 as there root certificate and hence you need to publish new cert as well
client certs which already issued, nothing will change in those certs
If you set registry to increase client certs validity, whenever ca issue new certs you will notice increase in their expiration period
ASKER
Sorry for my confusion!
"
"The new client certificates you issue after renewal will look at cert #1 as there root certificate and hence you need to publish new cert as well"
Is this one we go into manage template and change the validity period? or Duplicate it from the old and extend the validity period?
"
"The new client certificates you issue after renewal will look at cert #1 as there root certificate and hence you need to publish new cert as well"
Is this one we go into manage template and change the validity period? or Duplicate it from the old and extend the validity period?
NP
Yes,
You should go to template properties and extend validity period
OR
You could duplicate new template from old one, that is always an option if above did not work
Yes,
You should go to template properties and extend validity period
OR
You could duplicate new template from old one, that is always an option if above did not work
ASKER
Will the CApolicy.inf file alter the regkey? or I still have to change the regkey?
You would not mind to put the parameters/regkey which I have to take care?
You would not mind to put the parameters/regkey which I have to take care?
CAPolicy.inf will simply extend CA certificate expiry date when you renew it
Registry will be added when you run commands mentioned in article
Setreg commands i am talking about
Those r already there in article u posted in question
Registry will be added when you run commands mentioned in article
Setreg commands i am talking about
Those r already there in article u posted in question
The purpose of running commands is to allow ca to issue new certs with validity period defined in command
ASKER
"The purpose of running commands is to allow ca to issue new certs with validity period defined in command"
Which command ?
Which command ?
#Existing Validity Period configured
These are the commands you need to run on CA server from elevated cmd, this will allow you to issue certificates with 5 years validity
I have assumed that you already created Capolicy.inf on root CA and extended CA certificate validity, then only above commands will help
certutil -getreg ca\ValidityPeriod
#Existing Validity period configured is year. Default is 2 years certutil -getreg ca\ValidityPeriodUnits
#Extend the Validity perfoid to 5 years certutil -setreg ca\ValidityPeriodUnits 5
#Restart the Certificate Services Restart-Services –name certsvc
These are the commands you need to run on CA server from elevated cmd, this will allow you to issue certificates with 5 years validity
I have assumed that you already created Capolicy.inf on root CA and extended CA certificate validity, then only above commands will help
ASKER
Here is my confusion,
We create CApolicy.inf file to extend the valid period. My guess is that it will increase the CA root cert valid period so PCs and Servers can trust the existing/renewed root cert since they have it in the trusted root store. The issued templates will chain the valid period from the CA root cert ?
What the CAPolicy.inf does compare to the above command s?
We create CApolicy.inf file to extend the valid period. My guess is that it will increase the CA root cert valid period so PCs and Servers can trust the existing/renewed root cert since they have it in the trusted root store. The issued templates will chain the valid period from the CA root cert ?
What the CAPolicy.inf does compare to the above command s?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If I do the followings
1. Update CAPolicy.inf to validation period 10 years.
2. Apply commands to make 5 years.
3 Create new template for 5 years and allow "read"."autoenroll" permissions .
6. Issue this template .
Then PCs will have new cert.
I will not get a new cert for 5 years If i do not create new template and issue the template. That is, old template is not going to be effective after initial setting for 2 years even if i change the valid period from 2 years to 5 years. Am I correct on the above?
1. Update CAPolicy.inf to validation period 10 years.
2. Apply commands to make 5 years.
3 Create new template for 5 years and allow "read"."autoenroll" permissions .
6. Issue this template .
Then PCs will have new cert.
I will not get a new cert for 5 years If i do not create new template and issue the template. That is, old template is not going to be effective after initial setting for 2 years even if i change the valid period from 2 years to 5 years. Am I correct on the above?
what is the validity of old template?
is it 5 years or 2 years?
If its two years, you need new template with 5 years validity
If its already 5years, no need to issue new template
is it 5 years or 2 years?
If its two years, you need new template with 5 years validity
If its already 5years, no need to issue new template
ASKER
It is five years.
So I only sneed
CAPolicy.inf and the commands, so the cert will be renewed after 5 years. Is it correct?
So I only sneed
CAPolicy.inf and the commands, so the cert will be renewed after 5 years. Is it correct?
YES, Perfectly fine
Hi Sara,
I hope question is resolved now
Can u pl close so that I don't need to close forcefully
I hope question is resolved now
Can u pl close so that I don't need to close forcefully
policy should be applied to domain level
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy
OR
https://docs.centrify.com/en/css/2017.2-html/index.html#page/Additional_tools_and_topics/Adding_a_trusted_root_certificate_to_the_group_p.4.html
2 the answer of this question depends on how you renewed root cert?
If you selected use existing private key pair during renewal, you don't need to reissue the certs for users and computers
https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx