Subordinate CA – Increase Certificate Validity Length
In a test environment I recently set up, I had a PKI (Public Key Infrastructure) that consisted of an Offline Root CA and and On-line Enterprise Subordinate CA that issued my certificates. It looked like the below. My environment is Server 2012 however the commands will also work on Server 2008 and Server 2003.
When you install an Enterprise Subordinate CA you do not get the option to specify the length of the certificates validity. The maximum validity of a Subordinate CA is 5 years.
For some reason my Subordinate CA had set itself to 1 year, this meant all certificates that I issued could only be a year also as issued certificates cannot be longer that the issuing certificate providers validity.
I needed to increase the validity period for my Subordinate CA. To do this I had to turn on my Offline Root CA and issue the following commands.
certutil -setreg ca\ValidityPeriod "Years" certutil -setreg ca\ValidityPeriodUnits "5"
In the above we set the period to be in years, you can also use weeks or days. We set the period units to be 5. Once this command is ran you must restart the ADCS service on the root CA for the changes to take effect, then do the following.
- On the Subordinate CA create a new CA request by right clicking the server in ADCS and select New Request.
- Supply the CA request to the Root CA and issue the certificate.
- Export the certificate in PK7 format.
- On the Subordinate CA in ADCS right click the server name in install new CA that you just exported.
Once any certificates that have been issued are revoked any new certificates that are issued will get the correct validity period you specified instead of 1 year like in my situation.