CAPolicy.inf and Issued certificates

I have been to many KB articles about CA root cert validation period and still have doubt about it and want to clear it. I am about to work on a root CA to increase the validity period as well to increases the issued certificate period.
We have a CA root server and this  server is issuing (no subordinate server in place) the certificate with five years . We now want to renew the CA 's root cert as well as the issued certs period to another 5 years.
My understanding from the EE, nothing I can do with issued certificates and they will expire what ever I do with root server. In this case , I first have to change the validity period in CApolicy.inf file and renew the certificate of CA root server to 10 years, hence this will increase the validation of CA's root certificate as desired (10 years or more).
But the old issued certificates to the clients are chained to old issued template, in this case, the old issued certificates will be expired soon even after changing the value of CAplicy.inf file .
To remediate the issue, the next step is that I have to create new issuing template and issue the certificates to client by GPO.
I have to issue the listed below commands to the server In order for me to set  the  AD's templates period to 5 years as we want otherwise the AD's templates will be staying with old's validation period?
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod Years
net stop certsvc && net start certsvc

In conclusion, I have to do the followings
1. Work on CApolicy.inf
2. issue certutil
3 Push the CA's root cert to clients's trusted store.
4. Issue certs to clients PC/users via GPO.
5 Bind the certificate to iSS.
I would appreciate your help in advance.
LVL 2
sara2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
It is always best to plan beforehand.  Most business units I support rebuild their CA's when their equipment lease expires (every 3 years)
https://araihan.wordpress.com/2011/12/30/how-to-extend-root-ca-and-sub-ca-validation-period-in-windows-server-2008-r2-environment-step-by-step-guide/
A better article http://powershell365.com/2016/03/17/extend-default-certificate-expire-date-windows-ca/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sara2000Author Commented:
David,
Thank you for the links. I have been to these.
Based on these, we work on CApolicy.inf and certutils to increase the validity period of CA root cert.
For the user and computer then we have to issue new templates for them. Am i correct on that?
0
David Johnson, CD, MVPOwnerCommented:
yes you are correct.. In the future I'd use the powershell applets and script it, My customers are heavily audited since they use cross certificates with other companies. Rather than have an auditor shoulder surf while you're entering commands just hand them the powershell script
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PKI CERTIFICATES

From novice to tech pro — start learning today.