How to change CA certificate validity period

Today I want to discuss one question about CA certificate validity and how this can be changed.

Issue background

A little abstract. When you install Windows Certification Authority the default value is 5 years. It is quite long period and many young administrators leave default value (especially if they are not very experienced in certificate services). After a time it appears that 5 years is too short validity for CA certificate and administrators lookups for a resolution.

Another scenario, you have Enterprise Root CA and you want to deploy a new subordinate CA. Since Enterprise CAs uses certificate templates a default template (Subordinate Certification Authority) will be used. However this template contains default value for validity period — 5 years. Since 'Subordinate Certification Authority' template is version 1 it is not possible to change anything there except security permissions. Ok, you can duplicate default template and create new one for subordinate CAs. However this won't work because Enterprise Subordinate CA installation wizard hardcodes template information, as the result custom subordinate CA will not be used. Epic fail!

However it is not so bad as it looks. The following information will help you to redefine CA certificate validity during initial installation and CA certificate renewal.

Root CA

Root CA certificate validity can be set only during AD CS role installation. It is not possible to change root CA certificate validity without certificate renewal. If your root CA certificate is valid for 5 years (default) and you want to increase this value you must create (or edit existing) CAPolicy.inf file and place it to system root folder (by default C:\Windows). CAPolicy.inf must contain at least this information:

[Version]
Signature = "$Windows NT$"

[certsrv_server]
RenewalValidityPeriodUnits = 10
RenewalValidityPeriod = years

The setting is self-explanatory. As it is shown the setting is used only during root CA certificate renewal. Even if you define this value in the CAPolicy.inf file before AD CS role installation you still need to specify initial CA certificate validity. Also many administrators use long keys (4096 bits and longer) for higher security. However long keys are not supported by all applications as the result it is necessary to reduce key length. To decrease key length you need to add this entry to [certsrv_server] section:

RenewalKeyLength = 2048

Again, this setting will be used only during CA certificate renewal by using new key pair. Nowadays it is recommended to setup CAs with key length = 2048 bits for compatibility purposes. If you renew CA certificate and reuse existing keys this setting will be ignored. For more details you should read this article: CAPolicy.inf Syntax. In fact you can redefine any values for CA certificates in the CAPolicy.inf with the following exceptions:

  • CA certificate subject;
  • Cryptographis Service Provider (CSP) that is used for key generation.

These settings can be changed only by reinstalling AD CS role.

Subordinate CA

Slightly different process occurs with non-root CAs — subordinate or intermediate. During subordinate CA installation you are not prompted for CA certificate validity. Also mentioned setting (renewal validity period) above takes no effect during CA certificate renewal. This is because subordinate CA certificate validity is determined by the issuer (Policy CA or Root CA). There is one general rule for issued certificate validity: issued certificate validity will be the least value of:

  • estimated (remaining) CA certificate validity;
  • ValidityPeriod and ValidityPeriodUnits setting in the CA configuration (see below);
  • value defined in the certificate template (if available).

The following steps should be used to configure subordinate CA certificate depending on the issuer type.

Issuer is Standalone CA

If your Root/Policy CA is Standalone CA then subordinate CA certificate validity will be 1 year only (by default). To resolve this issue you must accordingly configure your root CA. The following commands will set the validity of all certificates issued by the CA:

certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod Years
net stop certsvc && net start certsvc

consider to implement these lines in the CA post-installation script. Once this setting is applied, CA will issue certificates for 10 years. However it cannot exceed CA certificate remaining lifetime and can be less than defined above.

Issuer is Enterprise CA

While it is not recommended to deploy Enterprise CAs in two or more levels this configuration may exist. As stated above Enterprise CA always use template information to determine issued certificate validity. Default 'Subordinate Certification Authority' template define subordinate CA certificate validity to 5 years and is not enough for various PKI implementations. The only way to change subordinate CA validity is to duplicate existing version 1 template named 'Subordinate Certification Authority' and create custom version 2 or 3 template with custom validity settings. Do not forget to add this template to Issuing Template list on issuer. In addition you need to set validity settings in the issuer configuration:

certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod Years
net stop certsvc && net start certsvc

Since subordinate CA hardcodes default template name it is necessary to create (or edit existing) CAPolicy.inf on subordinate CA by adding the following line to [RequestAttributes] section:

[Version]
Signature = "$Windows NT$"

[RequestAttributes]
CertificateTemplate = "CustomTemplateCommonName"

This setting will enforce CA server to use custom template information instead of default template. Now you can setup new Enterprise Subordinate CA and use custom template that defines extended validity for SubCA certificate.

For more details about CA certificate renewal read: Root CA certificate renewal

Comments:

Dmitry
Dmitry 17.02.2013 15:15 (GMT+2)

Thank you for a great job!

m0dest0
m0dest0 04.11.2015 06:45 (GMT+2)

Hi, you think I could edit the attribute Validity programatically using Powershell or C#. My CA server runs on windows 2008 R2. Thanks.

Vadims Podans
Vadims Podans 04.11.2015 21:30 (GMT+2)

Yes, you can, however it is not that easy. Instead, I would recommend to use certutil.exe tool to change these settings.

Byron Carlson
Byron Carlson 18.08.2016 06:34 (GMT+2)

What if you need to shorten the root cert from 5 years to 39 months to meet hte new security standards? How is this performed?? I have a ticket open with microsoft and the guy isn't clear how todo this. He tried the steps in this article, changing the capolicy.info to the following and renewing.. unfortunately the validity date is still 5 years:

[Version]
Signature= "$Windows NT$"

[certsrv_server]
RenewalValidityPeriod=3
RenewalValidityPeriodUnits=Years
RenewalKeyLength = 2048

Please help.

 

Vadims Podāns
Vadims Podāns 18.08.2016 22:55 (GMT+2)

The syntax of CAPolicy.inf is incorrect. The correct one is:

[Version]
Signature= "$Windows NT$"

[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=3
RenewalKeyLength = 2048

Years back (in Windows 2000 beta) Microsoft made a mistake in "Period" and "PeriodUnits", so units are placed in "Period" and integral value is placed under "PeriodUnits"

Byron Carlson
Byron Carlson 19.08.2016 00:28 (GMT+2)

can you REDUCE the validity rom 5 years to 3 years? or can you only INCREASE it?

Byron Carlson
Byron Carlson 19.08.2016 18:41 (GMT+2)

can you REDUCE the validity rom 5 years to 3 years? or can you only INCREASE it? 

I'm working with Microsoft Support and they say you cannot reduce the validity date. Your input is greatly appreciated. Thanks.

Vadims Podāns
Vadims Podāns 24.08.2016 22:15 (GMT+2)

Yes, you can reduce validity period from 5 to 3 years. I don't see what the problem you have.

Joe Adams
Joe Adams 11.09.2016 09:16 (GMT+2)

I have a RootCA that has a validity of 10 years using the CAPolicy.inf when renewing.  The SubCA I have 5 years validity using CAPolicy.inf as well.

However, when I renew the SubCA the validity is 10 years the same as the RootCA.

How is this possible?

Vadims Podāns
Vadims Podāns 11.09.2016 11:37 (GMT+2)

It is because RenewalValidityPeriod setting in the CAPolicy.inf is ignored for subordinate CAs. Subordoinate CA validity is controled by parent CA (issuer).

Neeraj Mehta
Neeraj Mehta 10.11.2017 06:00 (GMT+2)

Hi Vadims,

Have one query regarding the CAPOLICY.inf file.

Could you please suggest me if we are going to modify the capolicy.inf file in order to change the ca validity in our root CA will it require to reboot the server ?

or any service need to be restart.. Or is there any impact on CA services.

And alos what would be the steps required to do that.

Thanks in Adcance.

 

Captcha