Share via

Certificate expiration

Handian Sudianto 7,221 Reputation points
2026-05-26T00:36:36.68+00:00

I have User Certificate Template and the validity period set to 5 years but why the actual certificate is only valid for 2 years?

User's image

User's image

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 21,505 Reputation points Independent Advisor
    2026-05-26T01:26:17.3866667+00:00

    Hello Handian,

    The discrepancy comes from the Certificate Authority’s configured maximum validity period, not the template itself. Even though your template is set to 5 years, the CA enforces its own upper limit defined in the registry under HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\MaxValidityPeriod. By default, most enterprise CAs restrict user certificates to 2 years unless this value is explicitly extended. The certificate issuance process always honors the shorter of the two values: the template validity or the CA’s maximum validity.

    To align the issued certificate with your 5‑year template, you need to update the CA’s maximum validity period in the registry and then restart the Certificate Services. Be aware that extending user certificate lifetimes beyond 2 years is generally discouraged from a security standpoint, and Microsoft’s best practice is to keep user certs at 1–2 years to reduce exposure. If you still require 5 years for operational reasons, adjust the CA policy accordingly, but ensure you have strong revocation and monitoring in place.

    If the above response helps answer your question, please hit "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Harry.

    Was this answer helpful?

  2. AI answer

    2026-05-26T00:36:50.2766667+00:00

    The issued certificate is only valid for 2 years because a CA can’t issue a certificate with a validity period longer than the minimum of several limits, not just the template setting.

    For an Enterprise CA, the actual validity of an issued certificate is the minimum of:

    1. The CA’s registry validity period (ValidityPeriod / ValidityPeriodUnits).
    2. The certificate template validity period (your 5‑year setting).
    3. The remaining validity of the CA’s own signing certificate.
    4. Any validity specified via request attributes if the CA is configured to honor them.

    If any of these is 2 years (most commonly the CA’s registry validity period or the remaining lifetime of the CA certificate), the issued user certificate will be 2 years even though the template is set to 5 years.

    To have 5‑year user certificates, all of the following must be at least 5 years:

    • The CA certificate’s remaining lifetime.
    • The CA’s registry validity settings (for example, ValidityPeriod = Years and ValidityPeriodUnits = 5).
    • The template validity period (already 5 years in the screenshot).

    If needed, adjust the CA’s registry validity period on the CA server and ensure the CA certificate lifetime supports the desired period. Remember that the CA can never issue a certificate that outlives its own CA certificate.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.