Certificate Services: Custom template settings not applying to certificate.

jetmicll2020 21 Reputation points
2020-12-08T21:08:21.437+00:00

The CA is running Server 2012R2. I've duplicated the Web Server template, changed the expiration to 5 years and enabled "Allow private key to be exported". Subject name is set to "Supply in the request".

46308-general.png 46391-exp.png 46326-subname.png

If I generate a CSR and sign it using this template, the expiration is in 2 years and I am unable to export the private key. Here you can see the template was used:
46401-issued.png

But if I open the cert, you can see the expiration is not correct and I'm unable to export private key.
46411-cert.png 46299-end.png

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,832 questions
{count} votes

Accepted answer
  1. Daisy Zhou 23,346 Reputation points Microsoft Vendor
    2020-12-09T06:32:20.87+00:00

    Hello @jetmicll2020 ,

    Thank you for posting here.

    Based on the description, we have two questions.

    For the first question, we can see the expiration is not correct.

    Based on my knowledge, the issued certificate validity period depends upon least value of below.
    (1)The remaining lifetime of the root CA server
    (2)The value specified in the certificate template
    (3)The value specified in the CA server registry (default is 2 years)
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits

    Maybe the validity period of your cert takes the value of ValidityPeriodUnits in registry, so we can check the three values.

    For the second question, the private key can not be expoted.
    We need to check the the option "Allow private key to be exported" in the certificate template and check the option "Make the private key exportable" during generating CSR file as below.
    46407-333.png

    At last, we can follow the steps in the similar case to enroll a certificate.
    Unable to sign CSR with Microsoft Windows CA
    https://learn.microsoft.com/en-us/answers/questions/89382/unable-to-sign-csr-with-microsoft-windows-ca.html

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.