I recently set up a non-domain-joined Root CA server and a domain-joined subordinate server for issuing certificates in my network. I configured the Root CA to have a lifespan of 10 years, but I made a mistake with the subordinate CA; it's set to expire after just one year because I forgot to create a configuration file that specifies the expiration. I thought it would inherit the expiration settings from the Root CA automatically. Now I have a situation where the certificate has been auto-enrolled and is already in the Trusted Root Cert Authority store across our machines. What's the best way to resolve this? Am I looking at having to completely reset both servers to fix this issue?
1 Answer
You can fix this without starting over! Use the command `certutil -setreg caValidityPeriodUnits 5` and `certutil -setreg caValidityPeriod Years` on your subordinate CA. This will change the validity period to five years. After adjusting it, just renew the intermediate cert.
Is that command meant to be run on the subordinate server? That will set the validity period, right?