Hello @敏瑞 罗 ,
Thank you for your update.
You can check the remaining lifetime of the root CA server, if the remaining lifetime of the root CA server is one day, even if validity period on certificate template is 10 years, validity period of the cert issued by CA is one day.
If the remaining lifetime of the root CA server is 10 years, the value specified in the certificate template is 10 years
and the value specified in the CA server registry is 10 year (default is 2 years)
Then validity period of the cert issued by CA is 10 year.
Tip: The validity period of any certificate generated by a Windows CA is the lesser of these three values above.
If the Answer is helpful, please click "Accept Answer" and upvote it.