Article ID: 242276 - View products that this article applies to.
This article was previously published under Q242276
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/256986/EN-US/ )Description of the Microsoft Windows Registry
When you attempt to configure Exchange Server 5.5 Key Management server (KM server) to use X.509v3 certificates, you can use a subordinate certification authority (CA). However, when you change from X.509v1 to X.509v3, you may receive the following error message:
The hierarchy of the MS Certificate Servers for your KM server is invalid.
This issue can occur if you try to use a subordinate CA that cannot issue certificates to the KM server that are valid for at least two years.
To resolve this issue, change the certificate expiration date on the Microsoft Windows 2000 Server CA that issues certificates to the KM server. To change the certificate expiration date on the CA, modify the registry values on the Windows 2000 Server CA.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To change the certificate expiration date:
The following event may also be logged in the Application event log:
Description: "KMS Admin domain\account failed to set the CertServer configuration"
Article ID: 242276 - Last Review: October 22, 2013 - Revision: 3.3