I have set up a Microsoft Standalone CA on 2008 R2 as a root CA. I'm trying to setup a subordinate Enterprise CA. I generated the certificate request, and submitted it to the root CA. Then, I ran the following command to set the expiration date to 20 years (the request ID is 5):
certutil -setattributes 5 "ValidityPeriod:Years\nValidityPeriodUnits:20"
Then, I approved the request, but it failed. The Request Status Code is:
The specified time is invalid. 0x8007076d (WIN32: 1901)
The Request Disposition Message is:
Denied by Policy Module 0x8007076d, The requested validity period is invalid.
Confirm that the validity period or expiration data and time specified in the request
does not extend beyond the validity period of the CA certificate, the certificate
template, and the CA. The validity period of the CA can be verified by running the
following commands: certutil -getreg ca\validityPeriod
& certutil -getreg ca\ValidityPeriodUnits
The validity period of the CA certificate is 40 years (expires in 2052). The template condition doesn't apply since this is a standalone CA. The result of those commands is Years and 1, respectively.
It appears that I will need to change the CA's validityPeriod and validityPeriodUnits. But, I want to keep the default expiration for a request at 1 year. Is there a way to set a maximum and default expiration, or am I going to have to change it, issue the certificate, and then change it back?
According to Windows 2000 documentation:
All certificates that the stand-alone CA issues have the lifetime specified by the
values of the ValidityPeriod and ValidityPeriodUnits registry entries. Therefore, if
you want to issue certificates with different lifetimes, you must deploy either
enterprise CAs, multiple stand-alone CAs, or third-party CAs.
This still seems to be valid, according to a recent post on social.technet.microsoft.com.
I ended up changing the registry value, issuing the certificate, and then changing it back.
User contributions licensed under CC BY-SA 3.0