Sign in with Microsoft
Sign in or create an account.

Symptoms

If you renew a Server Licensor Certificate (SLC) for the Windows Rights Management Services cluster (RMS) you may notice that the expiration date of the new SLC extends past year 2032. Previously, SLCs issued by Microsoft for Windows Rights Management Services clusters had a duration of one year and they had to be renewed every year.

Cause

Windows Rights Management Services clusters that are based on Windows Server 2003 or Windows Server 2003 R2 use a root certificate (also called Server Licensor Certificate or SLC) that is issued by a service hosted by Microsoft. Originally, these certificates were issued with a one-year lifespan which means that they must be renewed every year for the RMS cluster to continue working.

The Windows Server 2003 support lifecycle is set to expire in July 2015, so Microsoft changed the lifetime of SLCs that are issued for Windows Rights Management Services to 7150 days. This change was made to allow Windows Rights Management Services servers and clusters to continue to work after the service that is used to issue SLCs is decommissioned after the end of support of Windows Server 2003. 

This change doesn’t affect the supportability status of Windows Rights Management Services clusters running on the Windows Server 2003 platform. Customers using Windows RMS clusters based on Windows Server 2003 are advised to upgrade to Active Directory Rights Management Services (AD RMS) or to Microsoft Azure Information Protection (previously called Azure Rights Management) before Windows Server 2003 supportability ends.

Active Directory Rights Management Services clusters running on Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 are not affected by this change. AD RMS clusters running on these platforms use an SLC that has a lifespan of 256 years and it does not require provisioning or renewal by Microsoft. 

Resolution

If you have already received a new SLC with a duration of 7150 days you do not need to take action. This certificate is valid and it should not need to be renewed again.

If you haven’t yet received an SLC with a duration of 7150 days you should renew it as soon as possible, even if the present certificate is within its valid lifespan. This will enable your server to operate independently from the Microsoft-hosted enrollment service, and it will avoid any certificate expiration issues in your existing certificate chains.

To renew your certificate for Windows RMS please see To Renew a Server Licensor Certificate on Microsoft TechNet.

More Information

With this change, Microsoft also renewed intermediate certificates in the certificate chain so they don’t expire in the short term, which allows Windows Rights Management Services clusters to continue to operate until the end of the product’s supportability lifecycle.

For more information about the supportability lifecycle of Windows Server 2003, please see Microsoft Support Lifecycle.

Warning: This update allows your Windows Rights Management Services to continue functioning until the end of the Windows Server 2003 support lifecycle, however the RSA key in certificates used in Windows Server 2003 is limited to 1,024 bits. According to the National Institute of Standards and Technology (NIST) and RSA, this certificate length is no longer recommended. Currently, at least 2,048 bit keys are recommended. RSA keys of 2,048 bit lengths are supported in AD RMS running on Windows Server 2008 R2 or Windows Server 2012 in addition to Azure Information Protection.

For additional information on RSA key length recommendations, see TWIRL and RSA Key Size.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×