Introduction
This article is a short post on how to increase both the validity time of the Root CA certificate and certificates issued either directly from the Root CA or from a Subordinate CA (issuing CA) on Windows Servers running the Certificate Services.
I reinstall my lab environment from time to time and have had to deal with too short a validity period for these two use cases in some scenarios, so this article is just me quickly going through how to fix this.
!! Do note that changing the validity period for your Root CA requires you to regenerate your Root CA certificate for the changes to take effect, making the previous one invalid. Do not do this lightly in production environments that are already up and running !!
The Problem
By default, the Root CA certificate in Microsoft’s Certificate Services is only valid for 5 years and issued certificates from the Root CA (or sub-CAs) are only valid for 2 years.
Changing your Root CA server every 5 years is probably a huge task for most environments and most deployments tend to increase the validity time of the Root CA certificate significantly when the Root CA server is initially installed.
As for issued certificates only lasting 2 years, while this is a valid best practice for security reasons, there might be a time when you want to issue a certificate that lasts longer, for various reasons.
Using the solutions below, we will fix both of these problems.
Solution - Increase Root CA certificate validity period
Since Root CA servers are supposed to exist for a very, very long time and not really do any more work after issuing sub-CA certificates for the sub-CAs who will actually spend time issuing certificates, it is wise to set the validity period of the Root CA certificate to maybe 20 years or so.
Create a file named “CAPolicy.inf” and place it in the folder C:\Windows\ on your Root CA.
Use the following parameters to set the validity period for the Root CA certificate to 20 years.
[Version]Signature = "$Windows NT$"[certsrv_server]RenewalValidityPeriodUnits = 20RenewalValidityPeriod = yearsWith these settings in place, we must now renew (regenerate) the Root CA certificate itself.
Start up the Certification Authority, right-click on your Root CA server and select All Tasks > Renew CA Certificate…
This will stop the Certificate Services and then you will be able to confirm that you want to renew the Root CA Certificate. The Certificate Services will be restarted after this step is complete.
Don’t forget to distribute the new Root CA certificate to where it needs to be and issue new sub-CA certificates (or regular certificates if you have a small lab like me, with no sub-CAs at all).
Solution - Increase the validity period limit for issued certificates
To increase the maximum validity periods of certificates issued from either the Root CA directly or from a sub-CA, run these commands as an Administrator in PowerShell.
These commands will increase the maximum validity period from 2 years (default) to 10 years.
certutil -setreg ca\ValidityPeriod "Years" certutil -setreg ca\ValidityPeriodUnits "10"Reboot the Certificate Service or the whole server itself to activate the changes.
Confirm the settings using these two commands in PowerShell.
certutil -getreg ca\ValidityPeriod certutil -getreg ca\ValidityPeriodUnits