Requested Validity Period May Not Be Set on Issued Certificate


When requesting a certificate in Venafi as a Service, it is possible to set a defined validity period, constrained by the maximum validity period defined in your issuing template. However, the issued certificate may not reflect the requested period. Instead, the certificate shows a validity period of a different value.


While some utilities allow the defining of a startDate or notBeforeDate and the corresponding endDate and notAfterDate values, most certificate authorities do not respect a user defined validity period. The noteBefore and notAfter dates are the dates for which a CA will guarantee the certificate. Rather, the CA will issue a certificate and define those dates for you based on their own certificate template's maximum validity period. The issued certificates cannot exceed the duration of the template or the issuing CA's own validity end date.


Check with your issuing CA to see if they support user defined validity periods for submitted Certificate Signing Requests (CSR) when submitted via API or any other fashion. If they do support this setting when working via API and the setting is not being honored, please report it to

Additionally, the built-in CA that comes with some Venafi as a Service packages does support user-defined validity periods. If your internal use cases require this type of control on certificate lifetimes, such as in DevOps use cases, consider using the built-in CA.

Finally, in Venafi as a Service, if you submit a CSR and the validity period requested exceeds that allowed by the CA, an error message will be returned (

For more information on CSR settings, please study RFC 5280 here:


Was this article helpful?
0 out of 0 found this helpful