So your internal Certificate Authority server isn't signing SSL cerificates for a long enough time, even though you have the correct length in your template. The problem isn't with your template, it's with your CA server's registry settings.
1) Requirement #1
An issued cert CANNOT be valid
longer than the issuing CA cert. If you define a cert template with validity of
3 years, but your issuing CA cert is only valid for 2, then the issued cert is
only valid for 2 years.
2) Requirement #2
An issued cert CANNOT be valid
longer than the value set in the registry on the issuing CA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA
Name>
3) Requirement #3
If the above two requirements
can be met, then we will honor the validity listed on the cert template.
Once you change the registry setting for ValidityPeriodUnits, restart the Certficate Authority Service, and you should be able to generate SSL certs for the correct validity length of time.
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.