CAPolicy.inf and Issued certificates

sara2000
sara2000 used Ask the Experts™
on
I have been to many KB articles about CA root cert validation period and still have doubt about it and want to clear it. I am about to work on a root CA to increase the validity period as well to increases the issued certificate period.
We have a CA root server and this  server is issuing (no subordinate server in place) the certificate with five years . We now want to renew the CA 's root cert as well as the issued certs period to another 5 years.
My understanding from the EE, nothing I can do with issued certificates and they will expire what ever I do with root server. In this case , I first have to change the validity period in CApolicy.inf file and renew the certificate of CA root server to 10 years, hence this will increase the validation of CA's root certificate as desired (10 years or more).
But the old issued certificates to the clients are chained to old issued template, in this case, the old issued certificates will be expired soon even after changing the value of CAplicy.inf file .
To remediate the issue, the next step is that I have to create new issuing template and issue the certificates to client by GPO.
I have to issue the listed below commands to the server In order for me to set  the  AD's templates period to 5 years as we want otherwise the AD's templates will be staying with old's validation period?
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod Years
net stop certsvc && net start certsvc

In conclusion, I have to do the followings
1. Work on CApolicy.inf
2. issue certutil
3 Push the CA's root cert to clients's trusted store.
4. Issue certs to clients PC/users via GPO.
5 Bind the certificate to iSS.
I would appreciate your help in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016
Commented:
It is always best to plan beforehand.  Most business units I support rebuild their CA's when their equipment lease expires (every 3 years)
https://araihan.wordpress.com/2011/12/30/how-to-extend-root-ca-and-sub-ca-validation-period-in-windows-server-2008-r2-environment-step-by-step-guide/
A better article http://powershell365.com/2016/03/17/extend-default-certificate-expire-date-windows-ca/

Author

Commented:
David,
Thank you for the links. I have been to these.
Based on these, we work on CApolicy.inf and certutils to increase the validity period of CA root cert.
For the user and computer then we have to issue new templates for them. Am i correct on that?
Top Expert 2016

Commented:
yes you are correct.. In the future I'd use the powershell applets and script it, My customers are heavily audited since they use cross certificates with other companies. Rather than have an auditor shoulder surf while you're entering commands just hand them the powershell script

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial