This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello all,
as mentioned in many news-tickers, the most common browser (chrome, firefox, safari,..) will only accept certificates with a maximum lifetime of 1 year.
This also means, that we have to replace all internally used webserver certificated with the new certificate expiration.
Is there a best-practice for all the certificate template settings? Which expiration should I use for which template?
Webserver - 1 year, user certificate - 2 year?
Is there any official documentation from microsoft or the browser-forum where all the topics are mentioned?
Second question:
How do other handles the certificate replacement?
Of course, for normal microsoft application like IIS this is no problem (rightclick - renew certificate, finish). But in other applications like tomcat, apache or whatever its not that easy. There got a certificate request from the according application-responsible and provided the certificate back. There is no possibilty to just replace/renew the already imported certificate. I think its a very time comsumed process?
Thanks for any help
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hi AndyMeboldt,
Good day!
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Hello @Andy ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
Hello AndyMeboldt,
Thank you for posting in our Q&A forum.
Here are the answers for your references.
Q1: Is there a best-practice for all the certificate template settings? Which expiration should I use for which template?
Webserver - 1 year, user certificate - 2 year?
A1: we can set the validity period on certificate template depending on your requirements.
However, the issued certificate validity period depends upon least value of below.
1)The expiry date of issuing CA certificate.
2)The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and
Enterprise CA. For Enterprise CA, the default registry setting is two years.
For Stand-alone CA, the default registry setting is one year.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits
3)The template validity period in case of Enterprise (AD integrated) CA.
For example:
The validity period of issuing CA certificate is 10 years, but the remaining time for issuing CA certificate is one month;
The validity period on one certificate template is 5 years;
The validity period that is defined in the registry affects all certificates that are issued by Enterprise CA is 6 years;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits
If we enroll one certificate using the certificate template above, this issued certificate validity period is only one month.
Or if we renew other certificates (assume validity period of certificate template is at least one year ), and validity period of the renewed certificates is one month.
Q2: Is there any official documentation from microsoft or the browser-forum where all the topics are mentioned?
A2: No, there is no such document.
Q3: How do other handles the certificate replacement?
A3: Usually, if we have internal CA server (with AD CS role), we can renew certificates issued by CA server based on the following three methods:
1.Renew certificates by right clicking certificate\All Tasks\renew certificate with new key or advanced operations\renew this certificate with the same key.
2.Renew certificate with GPO, if we configure autoenroll permission on certificate template and configure GPO with autoenroll setting
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies >Certificates Services Client – Auto-Enrollment
Or
User Configuration > Policies > Windows Settings > Security Settings >Public Key Policies > Certificate Services Client – Auto-Enrollment
3.Request new certificate and replace the old certificates using new certificates.
References:
CA Validity Period Extension and CA Certificate Renewal Process
https://www.experts-exchange.com/articles/32336/CA-Validity-Period-Extension-and-CA-Certificate-Renewal-Process.html
Recommendations for PKI Key Lengths and Validity Periods with Configuration Manager
https://techcommunity.microsoft.com/t5/configuration-manager-archive/recommendations-for-pki-key-lengths-and-validity-periods-with/ba-p/272758
Best Regards,
Daisy Zhou
Which expiration should I use for which template?
It's solely up to you, your requirements. It's ok to have 1yr server and 2yr client certificates.
Is there any official documentation from microsoft or the browser-forum where all the topics are mentioned?
no, there is no such documentation, nor best practices. Certificate validity is tied only to your and application requirements.
How do other handles the certificate replacement?
it is up to particular application. Every application has its own certificate provisioning/renewal process and there is no universal answer. Consult with particular applicaton's documentation for their renewal processes.