Unable to issue certificates after enabling SAN

I have a Microsoft CA running, which does not have the SAN field enabled by default, so I have enabled it by

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Before doing so, everything worked normally.
After enabling the SAN field, when I'm submitting a signing request, I'm getting this error:

Your Request Id is XXX. The disposition message is “Denied by Policy Module
The certificate validity period will be shorter than the  Certificate
Template specifies, because the template validity period is longer than the
maximum certificate validity period allowed by the CA. Consider renewing the 
CA certificate, reducing the template validity period, or increasing the 
registry validity period.

The certificate template for which I'm trying to request a certificate has 2 years for validity, and my issuing CA's certificate is still valid for 1.5 years.
If I revert the flag change for SAN with

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

then I can issue certificates like before.

I've seen a possible solution recommended raising the below:

certutil -setreg ca\ValidatePeriod "Years"
certutil -setreg ca\ValidityPeriodUnits 5

which does not work (tried it) in my case, but I don't understand how this would solve it anyway, as at the end of the day, the expiration date of my issuing CA's certificate would take precende over this, if I understand it correctly.
I don't understand why I'm getting this error only with the SAN field being enabled.

How can I solve this?
Does enabling the SAN imply any further checks on the CA, which I've missed somehow?

Best Answer

It seems that vertificate validity setting in certificate template exceeds the estimated validity of CA certificate.

Second thing is that the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command is incorrect and dangerous. Microsoft ADCS has SAN enabled by default. Any valid certificate request with embedded SAN extension will result in certificate with SAN extension. This flag allows to pass SAN extension as unauthenticated attribute (not embedded in CSR) and CA won't validate SAN value. As the result, any user can get certificate with arbitrary SAN extension. And even impersonate domain administrators. This is why EDITF_ATTRIBUTESUBJECTALTNAME2 flag MUST BE DISABLED.

There are two options:

reduce validity setting in certificate template to not exceed estimated CA certificate validity (say, set it to 1 year).
renew CA certificate to make it valid for a longer period.

I would suggest to go with 2nd option, because you will face more issues within next 6 months and will be forced to renew CA certificate. There are a lot of articles in Internet that suggest to renew CA certificate by reusing existing key pair. This solution is less painful, but may raise chain validation issues. Every time you renew CA certificate, you must generate new key pair.

Best Answer

Related Solutions

Apache – Configuring SSL VirtualHosts on a Single IP with UCC/SAN Certificate

Microsoft Standalone CA – Set expiration date of an individual request

Related Topic