Info: MSCA 2 Year Validity Limitation

Applies to

Microsoft Certificate Authority


By default Microsoft CA only allows certificate to be issued with a max validity period of 2 years. They do this as best security practice would be to rotate your encryption keys. 

This overrides even if you publish a template that would be valid for over 2 years. When the certificate for that template is issued it will only be for the 2 years.

If this is not an acceptable length of time you can modify the below keys in the registry.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CertSvc\Configuration\<CA Service Name>]


To specify 3 years you would change the ValidityPeriodUnits to 00000003. Then you would want to restart the MSCA service with the below commands:

net stop certsvc
net start certsvc


More Information

The recommended validity period from Venafi on certificates is only 1 Year.

Was this article helpful?
0 out of 0 found this helpful