Microsoft CA certificate templates expires sooner than expected

ad-certificate-servicescertificatecertificate-authority

The certificates my Microsoft CA is generating do not match the time period indicated in the template used. How can I resolve this?

I recently created a new certificate template for use on my Linux boxes on my Microsoft CA (2008 R2 Enterprise). This template is approved for server and client authentication purposes with a validity period of 10 years – the expected lifetime of our Linux boxes – and the subject name supplied in the request. I have checked both the intermediate and offline CA – both have more than 10 years of life listed. The certificates are exactly two years.

Is there some kind of hard limit I'm hitting here?

Best Answer

By default ADCS is set to issue certs for a maximum of 2 years (regardless of template or request).
To change that just run the following two commands (modify as desired):

certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\ValidityPeriodUnits 10

Then restart certificate services:

net stop  certsvc
net start certsvc
Related Topic