Link to home
Start Free TrialLog in
Avatar of sara2000
sara2000

asked on

CAPolicy.inf and Issued certificates

I have been to many KB articles about CA root cert validation period and still have doubt about it and want to clear it. I am about to work on a root CA to increase the validity period as well to increases the issued certificate period.
We have a CA root server and this  server is issuing (no subordinate server in place) the certificate with five years . We now want to renew the CA 's root cert as well as the issued certs period to another 5 years.
My understanding from the EE, nothing I can do with issued certificates and they will expire what ever I do with root server. In this case , I first have to change the validity period in CApolicy.inf file and renew the certificate of CA root server to 10 years, hence this will increase the validation of CA's root certificate as desired (10 years or more).
But the old issued certificates to the clients are chained to old issued template, in this case, the old issued certificates will be expired soon even after changing the value of CAplicy.inf file .
To remediate the issue, the next step is that I have to create new issuing template and issue the certificates to client by GPO.
I have to issue the listed below commands to the server In order for me to set  the  AD's templates period to 5 years as we want otherwise the AD's templates will be staying with old's validation period?
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod Years
net stop certsvc && net start certsvc

In conclusion, I have to do the followings
1. Work on CApolicy.inf
2. issue certutil
3 Push the CA's root cert to clients's trusted store.
4. Issue certs to clients PC/users via GPO.
5 Bind the certificate to iSS.
I would appreciate your help in advance.
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sara2000
sara2000

ASKER

David,
Thank you for the links. I have been to these.
Based on these, we work on CApolicy.inf and certutils to increase the validity period of CA root cert.
For the user and computer then we have to issue new templates for them. Am i correct on that?
yes you are correct.. In the future I'd use the powershell applets and script it, My customers are heavily audited since they use cross certificates with other companies. Rather than have an auditor shoulder surf while you're entering commands just hand them the powershell script