About the validity period of the certificate issued by ADCS of Windows Server 2019

敏瑞 罗 21 Reputation points
2021-04-16T08:40:32.927+00:00

I have a server running ADCS. It is in the domain. Its root certificate is valid for 10 years, but the certificate issued by the certificate template is only for a short period of time. I now hope to extend the validity period of the certificate issued by this server. For 10 years, I checked the relevant information, I modified the registry, but it did not work
88527-image.png

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
{count} votes

Accepted answer
  1. Daisy Zhou 12,921 Reputation points Microsoft Employee
    2021-04-21T09:28:50.467+00:00

    Hello @敏瑞 罗 ,

    Thank you for your update.

    You can check the remaining lifetime of the root CA server, if the remaining lifetime of the root CA server is one day, even if validity period on certificate template is 10 years, validity period of the cert issued by CA is one day.

    If the remaining lifetime of the root CA server is 10 years, the value specified in the certificate template is 10 years
    and the value specified in the CA server registry is 10 year (default is 2 years)

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits

    Then validity period of the cert issued by CA is 10 year.

    Tip: The validity period of any certificate generated by a Windows CA is the lesser of these three values above.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


1 additional answer

Sort by: Most helpful
  1. Daisy Zhou 12,921 Reputation points Microsoft Employee
    2021-04-19T01:48:21.523+00:00

    Hello @敏瑞 罗 ,

    Thank you for posting here.

    The validity period of any certificate generated by a Windows CA is the lesser of these three values:
    (1)The remaining lifetime of the root CA server
    (2)The value specified in the certificate template
    (3)The value specified in the CA server registry (default is 2 years)

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits

    The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and Enterprise CA. For Enterprise CA, the default registry setting is two years.

    For Stand-alone CA, the default registry setting is one year.

    Based on the description "I have a server running ADCS. It is in the domain", your CA should be online Enterprise CA.

    You can chage the three value above, then the certificate issued by CA can be changed based on your changs.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou