The Validity Period of an Issued Certificate is Shorter than Configured

Posted by Ahmed Nabil In | 4 comments»
I recently passed with couple of scenarios where one of the issued Certificates in Microsoft PKI infrastructure solution has validity period shorter than the period already configured on the template of this certificate. The main reason of changing and increasing the validity period/years for several specific certificates is to avoid frequent renewal process. 

The scenario i passed by recently was when a user duplicated one of the templates and changed the Validity from the default 2 Years to 4 Years and issued the new Certificate however the issued certificate still reads 2 Years. This can be due to one of two reasons

  1. The CA certificate period /Remaining Period (CA cannot issue a certificate that is longer than its own CA certificate) is less than the user certificate period. You cannot issue a user certificate which is 10 Years valid if your Root CA is 5 years only.
  2. The default Validity Period that is allowed by CA (defined in CA reg)

To check for the CA Certificate period/Duration, you need to do the following

  1. Open the CA Console
  2. Right Click on the CA - Properties
  3. From the General TAB click View Certificate and check the duration.

If the CA Remaining duration is less than the required user certificate duration then you need to increase the CA value and renew the CA certificate as follows:

  1. Configure CAPolicy.inf that directly controls CA certificate.
  2. Go to C:\Windows Folder, find the file CAPolicy.inf
  3. Change the "RenewalValidityPeriodUnits" value to the appropriate period (10 or 15 Years)
  4. Restart the CA Service
  5. Renew the CA Certificate (Right Click on the CA - All Tasks - Renew CA Certificate)

If the CA Period/Duration is fine and longer than the user certificate need then we need to check the default Validity Period in the CA Registry by doing the following:

  1. Open Admin CMD on the CA server and type certutil -getreg ca                                                                                                                                                                                    
  2. Check the ValidityPeriodUnits which refers to the maximum period that this CA can issue. You can define this value according to your own requirements, but it won’t exceed the lifetime of CA.
  3. From the Same CMD run certutil -setreg ca\ValidityPeriodUnits 5 (This will increase the validity to 5 years)
  4. Stop and restart CA service.

Now try again to Enroll certificate again from client to check the validity period.


Unknown Says:


Alan Le Says:


I will try to increase mine to 5 years!
Set 5, but default to only 2

Good job!


ADH Says:

"Renew the CA Certificate" sounds easy, but if you have an offline root, this may involve your key ceremony procedures, transferring the csr file to the root CA computer (perhaps retrieving it from a safe), issuing the cert and tranferring it back to the issuing CA.

Amazing Quotes Says:

Very Nice And Interesting Post, thank you for sharing
Inspirational Quotes - Gym Quotes
Best Quotes - Success Quotes
Positive Life Quotes - Image Bank
Future Quotes - Excellence Quotes
كلام جميل - Keep Smiling Quotes

Post a Comment