Hi there,

I've got a windows 2003 Standard Edition server that I've just added the MS
Certification Authorirty to. I've set up the CA to expire in five years time
- March 2012. The problem I've got is that when I try to generate and
install the certificates on the client machines it installs them fine but the
client-certificates expire in March 2008 - only one year away!

I'd like these certificates to expire in two years time. I've been looking
for similar issues on the Net and keep coming across this article:
http://support.microsoft.com/default...;en-us;Q254632

The thing is that my default settings are actually two years:
ValidityPeriod is Years
ValidityPeriodunits is 2

I've changed these values to time periods of less than one year and
restarted the cert service and it works fine. I then tried changing these
values to 3 years and also tried 24 months but in both cases it sets the
expiry period on the generated client certs to March 2008.

Does anyone know why this is setting the client certificates to a maximum on
one year?

Any help would be most appreciated.

Hi Roman,

If this was installed as an Enterprise CA this is normal. Enterprise CAs
get the validity dates of the certificates from the certificate templates
which in v1 templates cannot be modified. v2 Templates can be modified but
require Enterprise Edition of Windows Server for issuance. If you look
closely in the article you mentioned this is discussed as well.

"For certificates that are issued by Enterprise CAs, the validity period is
defined in the template that is used to create the certificate. Windows
2000 and Windows Server 2003 Standard Edition do not support modification
of these templates. Windows Server 2003 Enterprise Edition supports Version
2 certificate templates that can be modified. The validity period defined
in the template applies to all certificates issued by any Enterprise CA in
the Active Directory forest. One exception is the Subordinate CA
certificate templates. There is no validity period defined in this
template. Instead, the CA's registry validity period determines the
validity period of the Subordinate CA certificate. A certificate that is
issued by a CA is valid for the minimum of the following periods of time:

the registry validity period that is noted earlier in this article.
This applies to the Standalone CA, and Subordinate CA certificates issued
by the Enterprise CA.

The template validity period.
This applies to the Enterprise CA. Templates supported by Windows 2000 and
Windows Server 2003 Standard Edition cannot be modified. Templates
supported by Windows Server Enterprise Edition (Version 2 templates) do
support modification."

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

Thanks for the reply Brian,

I guess I simply focus on the ValidityPeriod and ValidityPeriodunits from
the article.

Thanks again.

"Brian Delaney [MSFT]" wrote: