This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 72%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
The CA is running Server 2012R2. I've duplicated the Web Server template, changed the expiration to 5 years and enabled "Allow private key to be exported". Subject name is set to "Supply in the request".
If I generate a CSR and sign it using this template, the expiration is in 2 years and I am unable to export the private key. Here you can see the template was used:
But if I open the cert, you can see the expiration is not correct and I'm unable to export private key.
how do you generate CSR?
Under "Certificates (Local Computer)" right click on Personal->Certificates, All Tasks, Advanced Options, Create Custom Request
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @jetmicll2020 ,
Thank you for posting here.
Based on the description, we have two questions.
For the first question, we can see the expiration is not correct.
Based on my knowledge, the issued certificate validity period depends upon least value of below.
(1)The remaining lifetime of the root CA server
(2)The value specified in the certificate template
(3)The value specified in the CA server registry (default is 2 years)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits
Maybe the validity period of your cert takes the value of ValidityPeriodUnits in registry, so we can check the three values.
For the second question, the private key can not be expoted.
We need to check the the option "Allow private key to be exported" in the certificate template and check the option "Make the private key exportable" during generating CSR file as below.
At last, we can follow the steps in the similar case to enroll a certificate.
Unable to sign CSR with Microsoft Windows CA
https://learn.microsoft.com/en-us/answers/questions/89382/unable-to-sign-csr-with-microsoft-windows-ca.html
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
Thank you for the reply Daisy Zhou.
The root CA server has an expiration of 10 years
However, the registry setting is set to (2). So this is what overrides my template setting?
As far as exporting the private key, you can see from my screenshot in the original post that the template is set to "Allow private key to be exported".
I am also selecting this option when generating the CSR as you can see below:
Once the .req file is saved, I copy and paste the contents to the cert website and download the base 64 cert, but can not export the private key.
I got it! So the issue was that I was attempting to export the private key in the wrong way. I was merely opening the certificate and doing "copy to file" and it was grayed out that way. I am able to do it from the certificate store -> actions -> export -> export private key
Hello @jetmicll2020 ,
Thank you for your update.
They (from the certificate store -> actions -> export -> export private key) are the correct steps to export certificate with private key.
Meanwhile, thank you for accepting my reply as answer. I am very glad that the information is helpful and the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Best Regards,
Daisy Zhou