Internal CA isn't validating certs for long enough

So your internal Certificate Authority server isn't signing SSL cerificates for a long enough time, even though you have the correct length in your template. The problem isn't with your template, it's with your CA server's registry settings.

1) Requirement #1
An issued cert CANNOT be valid longer than the issuing CA cert. If you define a cert template with validity of 3 years, but your issuing CA cert is only valid for 2, then the issued cert is only valid for 2 years.

2) Requirement #2
An issued cert CANNOT be valid longer than the value set in the registry on the issuing CA

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA Name>

3) Requirement #3
If the above two requirements can be met, then we will honor the validity listed on the cert template.

Once you change the registry setting for ValidityPeriodUnits, restart the Certficate Authority Service, and you should be able to generate SSL certs for the correct validity length of time.
Share on Google Plus

About Tom DeMeulenaere

Highly accomplished information technology professional with extensive knowledge in System Center Configuration Manager, Windows Server, SharePoint, and Office 365.
    Blogger Comment


Post a Comment

Note: Only a member of this blog may post a comment.