Article ID: 254632 - View products that this article applies to.
This article was previously published under Q254632
This article describes how to change the validity period of a certificate that is issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority (CA).
By default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use. There may be situations when you have to override the default expiration date for certificates that are issued by an intermediate or an issuing CA.
The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and Enterprise CAs. For Enterprise CAs, the default registry setting is two years. For Stand-alone CAs, the default registry setting is one year. For certificates that are issued by Stand-alone CAs, the validity period is determined by the registry entry that is described later in this article. This value applies to all certificates that are issued by the CA.
For certificates that are issued by Enterprise CAs, the validity period is defined in the template that is used to create the certificate. Windows 2000 and Windows Server 2003 Standard Edition do not support modification of these templates. Windows Server 2003 Enterprise Edition supports Version 2 certificate templates that can be modified. The validity period defined in the template applies to all certificates issued by any Enterprise CA in the Active Directory forest. A certificate that is issued by a CA is valid for the minimum of the following periods of time:
For an Enterprise CA, the validity period of an issued certificate is set to the minimum of all the following:
The expiration date of the CA certificateA CA cannot issue a certificate with a longer validity period than its own CA certificate. For more information about certificate templates, see the "Implementing and Administering Certificate Templates in Windows Server 2003" white paper. To do this, visit the following Web site:
http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?mfr=trueNote The Request Attribute name is made up of value string pairs that accompany the request and that specify the validity period. By default, this is enabled by a registry setting on a Standalone CA only.
To Change the Expiration Date of Certificates That Are Issued by a Windows Server 2003 or a Windows 2000 Server Certificate AuthorityTo change the validity period settings for a CA, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
For more information about Certificate Services in Windows Server 2003, see the Public Key Infrastructure topic in the "Security" section of the Windows Server 2003 product documentation. To view the Windows Server 2003 product documentation, visit the following Microsoft Web site:
Article ID: 254632 - Last Review: September 18, 2009 - Revision: 10.0