As soon as you have set up the Microsoft Certification Authority it starts issuing certificates with 1 year validity which is pretty good in most cases. But sometimes it doesn’t fit the need. One case is being lazy to renew it, another is giving a temporary access.

Well, the good news is that it is doable, the bad news is that there are two different MS CA, (strange, huh?), one is running inside an AD and they call it Enterprise or something, and the other is standalone. Being lucky as I am, I don’t have access to the Enterprise setup which 90% of technet articles popping up in google talk about, there are templates stored in AD (is there anything I can’t store in an LDAP?) and all bells and whistles.

So this is how to do it on the standalone. You have to use the command line utility called certutil to change registry values. Or you can edit it using regedit, or you can create a registry patch …. well, I’ve opted for the first.

There are two values to change, the units and the amount, probably my English is to blame here, but Units are changed with Period key and the Period length with Units Key:

certutil -setreg CAValidityPeriod "Months"

I’ve tried with “Years”, “Months” and “Days” all accepted and work as expected<
And then how many Units:

certutil -setreg CAValidityPeriodUnits 3

After that, you have to restart the CA service, issue what you need, then change back to you usual values and restart again

Post Navigation