So, you have your own Windows Certificate of Authority (CA) server and you want to create some new certificates that are valid longer than the default certificate templates. You duplicate the User Certificate, and set the validity period to 5 years. You issue a new user certificate using the new template and discover that the certificate expires two years from today. What's up with that?
The validity period of any certificate generated by a Windows CA is the lesser of these three values:
- The remaining lifetime of the root CA server
- The value specified in the certificate template
- The value specified in the CA server registry (default is 2 years)
So even if you set the certificate template validity period to 10 years, certificates issued using this template will be valid for a maximum of two years with the CA's default settings.
Increasing the CA Lifetime
Most root CAs are typically valid for 5 years. To increase the lifetime of the root CA, create or edit a text file in %SYSTEMROOT% called CAPolicy.inf with the following text:
[Version] Signature=”$Windows NT$” [certsrv_server] RenewalValidityPeriod=Years RenewalValidityPeriodUnits=10
Warning: If you generate a new public and private key pair you will need to reissue all your old certificates, so don't do it unless that is your intent.
Setting the Maximum Validity Period in the Registry
The default certificate validity period configured in the CA's registry is 2 years. To view the current registry value, run the following commands from a CMD prompt on the CA:
certutil -getreg ca\ValidityPeriod certutil -getreg ca\ValidityPeriodUnits
certutil -setreg ca\ValidityPeriodUnits 5