Question on chnaging the expiration date of certificates

[Guest]

Hi ,
I was trying to change the default expiration date of certificates from 1
year to a different value on a standlone Sub-ordinate CA server.
I used the information from the Microsoft article Q254632.

When I initiallythe installed the Standalone sub-ordinate CA server , the
validity dates were determined by the parent CA ( Set to 1 year )
( Standalone RootCA , validity set to 10 years ).

But I would like to change it to 8 years from the default setting of 1 year.

After following the suggestion in the document Q254632 , the user certs and
the CA cert still has the same validity of 1 year . The CA service was
started and stopped and the system was alos started .

Any idea of what could be wrong.

Kavi

 

[Miha Pihler [MVP]]

Hi,

If I understand you correctly, your Standalone RootCA is valid for 10 years
and you have one Standalone Subordinate CA that is valid for 1 year.

In this case, your subordinate CA will only be able to issue certificates
valid for maximum 1 year since its own certificate is valid for that period
of time. You can't issue certificates with longer date of validity then its
issuing CA certificate.

What you need to do is change the validity period on your RootCA to value
that you desire (e.g. 8 years) and then re-issue certificate for your
Subordinate CA. Once this is done and you change validity period on your
Subordinate CA you should be able to issue certificates on your subordinate
CA for your users with validity period that is longer then 1 year.

Once the certificate is issued, you can't change its validity time. If you
would edit the certificate it would become invalid (digital signature would
not match).

I hope this helps.