This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 80%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have a server running ADCS. It is in the domain. Its root certificate is valid for 10 years, but the certificate issued by the certificate template is only for a short period of time. I now hope to extend the validity period of the certificate issued by this server. For 10 years, I checked the relevant information, I modified the registry, but it did not work
Is there a reason to have a 10yr valid certificate? This doesn't seem right for non-CA certificates.
This is an exam question, the question is like this, as for the specific meaning, I don’t know
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @敏瑞 罗 ,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello @敏瑞 罗 ,
Thank you for your update.
You can check the remaining lifetime of the root CA server, if the remaining lifetime of the root CA server is one day, even if validity period on certificate template is 10 years, validity period of the cert issued by CA is one day.
If the remaining lifetime of the root CA server is 10 years, the value specified in the certificate template is 10 years
and the value specified in the CA server registry is 10 year (default is 2 years)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits
Then validity period of the cert issued by CA is 10 year.
Tip: The validity period of any certificate generated by a Windows CA is the lesser of these three values above.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
After my experiment, the result of the experiment is as you said, thank you again for your answer!
Hello @敏瑞 罗 ,
Thank you for your update and accepting my reply as answer. I am very glad that the information is helpful and the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Best Regards,
Daisy Zhou
Hello @敏瑞 罗 ,
Thank you for posting here.
The validity period of any certificate generated by a Windows CA is the lesser of these three values:
(1)The remaining lifetime of the root CA server
(2)The value specified in the certificate template
(3)The value specified in the CA server registry (default is 2 years)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits
The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and Enterprise CA. For Enterprise CA, the default registry setting is two years.
For Stand-alone CA, the default registry setting is one year.
Based on the description "I have a server running ADCS. It is in the domain", your CA should be online Enterprise CA.
You can chage the three value above, then the certificate issued by CA can be changed based on your changs.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Thank you for your answer, so I can only extend the validity period of the certificate by modifying the template of the certificate, right? 谢谢