Below is the issue faced by one my client last week that they are not able to provide the certificates with more than 5 years validity even though certificate template is issued with 5 Years.

1

Above Template shows that certificate Validity period 5 Years but when it is issues the certificate provides the certificate validity only for 3 years.

2
3

When we run the Certutil command

certutil -getreg ca\validityperiodunits

4

There is a problem. it is allowed only for three years in the registry level. Hence  run the below commands to set it to 5 years.s Before running the commands ensure backup has been sucessfully taken both CA and Registry.

certutil-setreg ca\ValidityPeriodUnits 5

5

Restart the CA services by running below commands

net stop certsvc

net start certsvc

6

Now you will see the certificates are getting issued with 5 Years without any issues.

#CA #Certificates #PKI

Leave a comment

Your email address will not be published. Required fields are marked *