![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 11%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E4%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello 49885604,
Thank you for posting in Q&A forum.
Here are the answers for your references.
1.Why does the Issuing CA certificate have such a long validity period?
A: The validity period of CA is defined when we set up PKI. I mean the person who set up PKI define it when install and deploy CA.
2.Is it possible to decrease the validity of the Issuing CA certificate without having any negative effects on the system?
A: Typically, for two-tier PKI, the validity period of the root CA certificate is set to twice the validity period of the issuing certificate.
For example:
If the root CA is 20 years, then the issuing CA is 10 years.
If you want to decrease the validity of the Issuing CA certificate, you can try to test it in test lab first, if it works in lab, you can try to decrease the validity of the Issuing CA certificate in production environment.*
*
You can try to look for CApolicy.inf file under C:\Windows and change/decrease the number of the year as below.
And you also need to check the number of the years on certificate template of Subordinate Certification Authority.
The number of the year on Subordinate Certification Authority depends on the least value of validity period in Capolicy.inf and in certificate template.
As we are telling CAPolicy.inf to extend the Root certificate validity to 10 years upon root CA certificate renewal. Existing certificate validity cannot be extended, hence renewal is mandatory so that the extended validity period would be reflected in a new certificate. So if you decrease the validity of the Issuing CA certificate, you should ensure the validity period of existing certificates issued by Issuing CA certificate are not expired after you decrease the validity of the Issuing CA certificate.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.