Applies to
Microsoft Certificate Authority
Summary
By default Microsoft CA only allows certificate to be issued with a max validity period of 2 years. They do this as best security practice would be to rotate your encryption keys.
This overrides even if you publish a template that would be valid for over 2 years. When the certificate for that template is issued it will only be for the 2 years.
If this is not an acceptable length of time you can modify the below keys in the registry.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CertSvc\Configuration\<CA Service Name>] "ValidityPeriod"="Years" |
To specify 3 years you would change the ValidityPeriodUnits to 00000003. Then you would want to restart the MSCA service with the below commands:
net stop certsvc net start certsvc |
More Information
The recommended validity period from Venafi on certificates is only 1 Year.
Comments