Microsoft CA certificate templates expires sooner than expected

5,744

By default ADCS is set to issue certs for a maximum of 2 years (regardless of template or request).
To change that just run the following two commands (modify as desired):

certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\ValidityPeriodUnits 10

Then restart certificate services:

net stop  certsvc
net start certsvc
Share:
5,744

Related videos on Youtube

Tim Brigham
Author by

Tim Brigham

Updated on September 18, 2022

Comments

  • Tim Brigham
    Tim Brigham over 1 year

    The certificates my Microsoft CA is generating do not match the time period indicated in the template used. How can I resolve this?

    I recently created a new certificate template for use on my Linux boxes on my Microsoft CA (2008 R2 Enterprise). This template is approved for server and client authentication purposes with a validity period of 10 years - the expected lifetime of our Linux boxes - and the subject name supplied in the request. I have checked both the intermediate and offline CA - both have more than 10 years of life listed. The certificates are exactly two years.

    Is there some kind of hard limit I'm hitting here?

    • ravi yarlagadda
      ravi yarlagadda over 11 years
      What validity lifetime are they getting instead of 10 years?
  • Tim Brigham
    Tim Brigham over 11 years
    Ugh.. thanks. Did that on the offline CA but likely forgot it on the intermediate.