I'm currently working on setting up a new Public Key Infrastructure (PKI) but I've run into an issue. My intermediate certificate is only valid for 1 year, and I'm not sure how to extend this duration. My root certificate is fine with a different validity period. I've tried using INF files and I know they need to be in place before installing the CA role. Has anyone else faced this problem or have any tips on how to resolve it?
2 Answers
Are you using Microsoft Certificate Services? If so, make sure you're using the Subordinate Certification Authority template. You can adjust the validity period to whatever you need; just remember that your intermediate cert can’t expire after your root cert does. Also, be sure to check that hidden setting under your CA's properties—look for 'follow the settings in the certificate template' in the policy module, as it might override your settings.
You can try running these commands on your Root CA: `Certutil -setreg CAValidityPeriodUnits 10` and `Certutil -setreg CAValidityPeriod "Years"`. This should change your intermediate cert's validity to 10 years. Just keep in mind that you'll need to create a new intermediate cert after changing this configuration.
Just to clarify, you mean I should run these commands on the Root CA, correct? And is this approach different from the config file I made on my Root?
Yes, I'm using MS Certificate Services. I thought I set this up correctly with an INF file on my enterprise intermediate CA, but it hasn’t worked. Just to confirm, is that hidden setting on the Root, the intermediate, or both? Thanks!