I have a Microsoft CA running, which does not have the SAN field enabled by default, so I have enabled it by
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Before doing so, everything worked normally.
After enabling the SAN field, when I'm submitting a signing request, I'm getting this error:
Your Request Id is XXX. The disposition message is “Denied by Policy Module
The certificate validity period will be shorter than the Certificate
Template specifies, because the template validity period is longer than the
maximum certificate validity period allowed by the CA. Consider renewing the
CA certificate, reducing the template validity period, or increasing the
registry validity period.
The certificate template for which I'm trying to request a certificate has 2 years for validity, and my issuing CA's certificate is still valid for 1.5 years.
If I revert the flag change for SAN with
certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
then I can issue certificates like before.
I've seen a possible solution recommended raising the below:
certutil -setreg ca\ValidatePeriod "Years"
certutil -setreg ca\ValidityPeriodUnits 5
which does not work (tried it) in my case, but I don't understand how this would solve it anyway, as at the end of the day, the expiration date of my issuing CA's certificate would take precende over this, if I understand it correctly.
I don't understand why I'm getting this error only with the SAN field being enabled.
How can I solve this?
Does enabling the SAN imply any further checks on the CA, which I've missed somehow?
Best Answer
It seems that vertificate validity setting in certificate template exceeds the estimated validity of CA certificate.
Second thing is that the
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
command is incorrect and dangerous. Microsoft ADCS has SAN enabled by default. Any valid certificate request with embedded SAN extension will result in certificate with SAN extension. This flag allows to pass SAN extension as unauthenticated attribute (not embedded in CSR) and CA won't validate SAN value. As the result, any user can get certificate with arbitrary SAN extension. And even impersonate domain administrators. This is whyEDITF_ATTRIBUTESUBJECTALTNAME2
flag MUST BE DISABLED.There are two options:
I would suggest to go with 2nd option, because you will face more issues within next 6 months and will be forced to renew CA certificate. There are a lot of articles in Internet that suggest to renew CA certificate by reusing existing key pair. This solution is less painful, but may raise chain validation issues. Every time you renew CA certificate, you must generate new key pair.