Changing Issuing CA validity period in Certification Authority

49885604 215 Reputation points
2024-03-06T21:15:16.6233333+00:00

Hello,

I have a Certification Authority with an Enterprise Root CA server that is not part of the domain (Workgroup). I also have an Issuing CA in a domain that enrolls certificates (Enterprise CA - Subordinate CA). The certificate of this Issuing CA has the same validity period of 25 years as the Root certificate.

My queries:

  • Why does the Issuing CA certificate have such a long validity period?
  • Is it possible to decrease the validity of the Issuing CA certificate without having any negative effects on the system?

Thank you for your assistance.

Regards, Alessio.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2024-03-07T02:04:51.4033333+00:00

    Hello 49885604,

    Thank you for posting in Q&A forum.

    Here are the answers for your references.

    1.Why does the Issuing CA certificate have such a long validity period?
    A: The validity period of CA is defined when we set up PKI. I mean the person who set up PKI define it when install and deploy CA.

    2.Is it possible to decrease the validity of the Issuing CA certificate without having any negative effects on the system?
    A: Typically, for two-tier PKI, the validity period of the root CA certificate is set to twice the validity period of the issuing certificate.

    For example:
    If the root CA is 20 years, then the issuing CA is 10 years.

    If you want to decrease the validity of the Issuing CA certificate, you can try to test it in test lab first, if it works in lab, you can try to decrease the validity of the Issuing CA certificate in production environment.*
    *
    You can try to look for CApolicy.inf file under C:\Windows and change/decrease the number of the year as below.
    User's image

    And you also need to check the number of the years on certificate template of Subordinate Certification Authority.

    User's image

    The number of the year on Subordinate Certification Authority depends on the least value of validity period in Capolicy.inf and in certificate template.

    As we are telling CAPolicy.inf to extend the Root certificate validity to 10 years upon root CA certificate renewal. Existing certificate validity cannot be extended, hence renewal is mandatory so that the extended validity period would be reflected in a new certificate. So if you decrease the validity of the Issuing CA certificate, you should ensure the validity period of existing certificates issued by Issuing CA certificate are not expired after you decrease the validity of the Issuing CA certificate.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.