CA Issue

[Scott25]

My main certificate was set to expire on September 10,
2004. I renewed the certificate with the same private
key, and it is now set to expire on Sep 1, 2006
(basically 2 years from today) This seemed to work
correctly. When I now issue a new certificate to a smart
card for VPN purposes, it gives the certificate an
expiration date of Sep 1, 2005 (A year before the base
certificate is set to expire).

I don't want to have to renew all the company's VPN keys
in a year. How can I set the expiration date to the same
as the root cert?

 

[Miha Pihler]

Hi Scott,

How To Change the Expiration Date of Certificates That Are Issued by a
Windows Server 2003 or a Windows 2000 Server Certificate Authority
http://support.microsoft.com/default.aspx?scid=kb;en-us;254632&Product=win2000

Feel free to post back if you have any questions regarding this.

Mike

 

[Scott25]

Thanks for the article. I followed it and discovered
that everything in my registry was already set correctly.

My root certificate is correctly being issued with a 2
year expiration date.

My problem is that all the certificates that I issue to
my VPN keys that are based on that root certificate have
an expiration date of only 1 year. I don't understand
why these would have a different expiration date.

Any other thoughts? Thanks for all your help.

 

[Miha Pihler]

Scott,

What value do you have under "ValidityPeriodUnits" Registry Key?

Mike

 

[Guest]

Years.

-----Original Message-----
Scott,

What value do you have under "ValidityPeriodUnits" Registry Key?

Mike




.

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Scott25

Thanks for the article. I followed it and discovered
that everything in my registry was already set correctly.

My root certificate is correctly being issued with a 2
year expiration date.

My problem is that all the certificates that I issue to
my VPN keys that are based on that root certificate have
an expiration date of only 1 year. I don't understand
why these would have a different expiration date.

Any other thoughts? Thanks for all your help.

As per the article, there are 3 factors that affect how long a
certificate is valid for. Which template are you using for your
certificate? Have you looked at the properties of that template to see
its validity period? I'll bet it is set for 1 year. Also, what operating
system is your CA installed on?

 

[Miha Pihler]

I think you are looking at wrong values:

Under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<
CAName>

Set this values like this:

REG_SZ ValidityPeriod Years
REG_DWORD ValidityPeriodUnits 2

(default value for REG_DWORD ValidityPeriodUnits is 1 )

Again check the posted article again! Also check Paul's post!

Mike

 

[Scott25]

It is a Windows 2000 Server. It is the only CA in the
network. How do I check the properties of the template?

-----Original Message-----

 

[Guest]

I just doublechecked to make sure I was looking at the
right values and those are the exact values I have. Under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSv
c\Configuration\"Certifcate Name"

I have
Validity Period REG_SZ Years
Validity Period Units REG_DWORD 2

Thanks for all your help, but I am still not sure what I
am doing wrong.

 

[Miha Pihler]

How do you have this CA setup? Is this an Enterprise Root CA or Standalone
Root CA?

Mike

 

[Guest]

It says Enterprise Root CA. It is the only CA on our
network.

 

[Miha Pihler]

It looks as Paul suggested that this 1 year limit is set in certificate
template. This is not a problem if you have standalone CA setup.

Unfortunately on Windows 2000 you can't edit (customize) templates. You can
create customized templates on Windows 2003.

Mike

 

[Scott25]

Ok, I may not be able to get around it then. However, I
know 2 years ago when they set this up, they issued VPN
certificates that had a 2 year expiration period.
Everyone who set this up is gone though, and we are not
sure how they did this. Thanks for all your help though.

 

[Miha Pihler]

Which template do you use to issue certificate?

Mike

 

[Scott25]

Not quite sure what you mean when you refer
to "Template." I am issuing certificates by going through
a web interface for microsoft certification services. All
of the issued certificates show up under Certification
Authority, Under the Company Name, and then Issued
Certificates.

 

[Guest]

Just found it, it is the CA template. Is that what you
are looking for?

 

[Miha Pihler]

In the web interface you can select between different Certificate Templates
(e.g. Users, Administrator, SmartCard User, IPSec, ...). Which one do you
select when issuing your certificates?

http://freeweb.siol.net/mpihler/templates.jpg

Mike

 

[Guest]

Smartcard Logon.

-----Original Message-----
In the web interface you can select between different Certificate Templates
(e.g. Users, Administrator, SmartCard User, IPSec, ...). Which one do you
select when issuing your certificates?

http://freeweb.siol.net/mpihler/templates.jpg

Mike




.

 

[Scott25]

SmartCard Logon

Sorry, I keep forgetting to put in my name and it shows
up as anonymous. Thanks for all your help so far.

 

[Miha Pihler]

Do you actually use Smart Cards to logon to domain -- or just to store
certificates for VPN? What CSP do you use (CSP = Cryptographic Service
Provider).

Mike