Side Note to Changing Expiration Date of Certificates that are issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority

If you do have a requirement of changing the default certificate validity issued by your Windows 2000 or 2003 Certificate for your deployment (Default 1 year for Standalone CA, 2 years for Enterprise CA) then you might have followed the guide on the KB article below.

http://support.microsoft.com/kb/254632

The summary and registry hack is posted below.

SUMMARY

This article describes how to change the validity period of a certificate that is issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority (CA). By default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use. There may be situations when you have to override the default expiration date for certificates that are issued by an intermediate or an issuing CA.The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and Enterprise CAs.

For Enterprise CAs, the default registry setting is two years. For Stand-alone CAs, the default registry setting is one year. For certificates that are issued by Stand-alone CAs, the validity period is determined by the registry entry that is described later in this article. This value applies to all certificates that are issued by the CA.

For certificates that are issued by Enterprise CAs, the validity period is defined in the template that is used to create the certificate. Windows 2000 and Windows Server 2003 Standard Edition do not support modification of these templates. Windows Server 2003 Enterprise Edition supports Version 2 certificate templates that can be modified. The validity period defined in the template applies to all certificates issued by any Enterprise CA in the Active Directory forest. One exception is the Subordinate CA certificate templates. There is no validity period defined in this template. Instead, the CA's registry validity period determines the validity period of the Subordinate CA certificate. A certificate that is issued by a CA is valid for the minimum of the following periods of time:

•The registry validity period that is noted earlier in this article.

This applies to the Standalone CA, and Subordinate CA certificates issued by the Enterprise CA.

•The template validity period.
This applies to the Enterprise CA.

Templates supported by Windows 2000 and Windows Server 2003 Standard Edition cannot be modified. Templates supported by Windows Server Enterprise Edition (Version 2 templates) do support modification.

The expiration date of the CA certificate

A CA cannot issue a certificate with a longer validity period than its own CA certificate. For more information about certificate templates, see the "Implementing and Administering Certificate Templates in Windows Server 2003" white paper. To do this, visit the following Web site:
http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?mfr=true)

Note The Request Attribute name is made up of value string pairs that accompany the request and that specify the validity period. By default, this is enabled by a registry setting on a Standalone CA only.

To Change the Expiration Date of Certificates That Are Issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority

To change the validity period settings for a CA, follow these steps.

1.Click Start, and then click Run.
2.In the Open box, type regedit, and then click OK.
3.Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\
4.In the right pane, double-click ValidityPeriod.
5.In the Value data box, type one of the following, and then click OK:

•Days
•Weeks
•Months
•Years
6.In the right pane, double-click ValidityPeriodUnits.
7.In the Value data box, type the numeric value that you want, and then click OK. For example, type 2.
8.Stop, and then restart the Certificate Services service. To do so:

a. Click Start, and then click Run.
b. In the Open box, type cmd, and then click OK.
c. At the command prompt, type the following lines. Press ENTER after each line.
net stop certsvcnet start certsvc
d. Type exit to quit Command Prompt.

I have highlighted important points to consider like the availbility of duplicating templates only being available on Enterprise Edition of Windows. One implementation I can site as an example is Cisco's ACS which required a duplication of templates for its Server Cert so its more likely you would use an Enterprise Edition of Windows as your Root CA or subscribe to a third party CA.

One more note I wanted to add which was why I actually blogged about this article is that If you Duplicate a certificate template and specifiy a longer validity period that what is specified in the registry. The value that will be taken will still be the lesser value of the two.

Meaning Microsoft domain-rooted CA will use either the issuing certificate template validity period or the maximum CA cert validity period defined in the CertSvc registry key, whichever is less.