Today I want to discuss one question about CA certificate validity and how this can be changed.

Issue background

A little abstract. When you install Windows Certification Authority the default value is 5 years. It is quite long period and many young administrators leave default value (especially if they are not very experienced in certificate services). After a time it appears that 5 years is too short validity for CA certificate and administrators lookups for a resolution.

Another scenario, you have Enterprise Root CA and you want to deploy a new subordinate CA. Since Enterprise CAs uses certificate templates a default template (Subordinate Certification Authority) will be used. However this template contains default value for validity period — 5 years. Since 'Subordinate Certification Authority' template is version 1 it is not possible to change anything there except security permissions. Ok, you can duplicate default template and create new one for subordinate CAs. However this won't work because Enterprise Subordinate CA installation wizard hardcodes template information, as the result custom subordinate CA will not be used. Epic fail!

However it is not so bad as it looks. The following information will help you to redefine CA certificate validity during initial installation and CA certificate renewal.

Root CA

Root CA certificate validity can be set only during AD CS role installation. It is not possible to change root CA certificate validity without certificate renewal. If your root CA certificate is valid for 5 years (default) and you want to increase this value you must create (or edit existing) CAPolicy.inf file and place it to system root folder (by default C:\Windows). CAPolicy.inf must contain at least this information:

[Version]
Signature = "$Windows NT$"

[certsrv_server]
RenewalValidityPeriodUnits = 10
RenewalValidityPeriod = years

The setting is self-explanatory. As it is shown the setting is used only during root CA certificate renewal. Even if you define this value in the CAPolicy.inf file before AD CS role installation you still need to specify initial CA certificate validity. Also many administrators use long keys (4096 bits and longer) for higher security. However long keys are not supported by all applications as the result it is necessary to reduce key length. To decrease key length you need to add this entry to [certsrv_server] section:

RenewalKeyLength = 2048

Again, this setting will be used only during CA certificate renewal by using new key pair. Nowadays it is recommended to setup CAs with key length = 2048 bits for compatibility purposes. If you renew CA certificate and reuse existing keys this setting will be ignored. For more details you should read this article: CAPolicy.inf Syntax. In fact you can redefine any values for CA certificates in the CAPolicy.inf with the following exceptions:

• CA certificate subject;
• Cryptographis Service Provider (CSP) that is used for key generation.

These settings can be changed only by reinstalling AD CS role.

Subordinate CA

Slightly different process occurs with non-root CAs — subordinate or intermediate. During subordinate CA installation you are not prompted for CA certificate validity. Also mentioned setting (renewal validity period) above takes no effect during CA certificate renewal. This is because subordinate CA certificate validity is determined by the issuer (Policy CA or Root CA). There is one general rule for issued certificate validity: issued certificate validity will be the least value of:

• estimated (remaining) CA certificate validity;
• ValidityPeriod and ValidityPeriodUnits setting in the CA configuration (see below);
• value defined in the certificate template (if available).

The following steps should be used to configure subordinate CA certificate depending on the issuer type.

Issuer is Standalone CA

If your Root/Policy CA is Standalone CA then subordinate CA certificate validity will be 1 year only (by default). To resolve this issue you must accordingly configure your root CA. The following commands will set the validity of all certificates issued by the CA:

certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod Years
net stop certsvc && net start certsvc

consider to implement these lines in the CA post-installation script. Once this setting is applied, CA will issue certificates for 10 years. However it cannot exceed CA certificate remaining lifetime and can be less than defined above.

Issuer is Enterprise CA

While it is not recommended to deploy Enterprise CAs in two or more levels this configuration may exist. As stated above Enterprise CA always use template information to determine issued certificate validity. Default 'Subordinate Certification Authority' template define subordinate CA certificate validity to 5 years and is not enough for various PKI implementations. The only way to change subordinate CA validity is to duplicate existing version 1 template named 'Subordinate Certification Authority' and create custom version 2 or 3 template with custom validity settings. Do not forget to add this template to Issuing Template list on issuer. In addition you need to set validity settings in the issuer configuration:

certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod Years
net stop certsvc && net start certsvc

Since subordinate CA hardcodes default template name it is necessary to create (or edit existing) CAPolicy.inf on subordinate CA by adding the following line to [RequestAttributes] section:

[Version]
Signature = "$Windows NT$"

[RequestAttributes]
CertificateTemplate = "CustomTemplateCommonName"

This setting will enforce CA server to use custom template information instead of default template. Now you can setup new Enterprise Subordinate CA and use custom template that defines extended validity for SubCA certificate.

For more details about CA certificate renewal read: Root CA certificate renewal