Below is the issue faced by one my client last week that they are not able to provide the certificates with more than 5 years validity even though certificate template is issued with 5 Years.



Above Template shows that certificate Validity period 5 Years but when it is issues the certificate provides the certificate validity only for 3 years.



When we run the Certutil command

certutil -getreg ca\validityperiodunits



There is a problem. it is allowed only for three years in the registry level. Hence  run the below commands to set it to 5 years.s Before running the commands ensure backup has been sucessfully taken both CA and Registry.

certutil-setreg ca\ValidityPeriodUnits 5


Restart the CA services by running below commands

net stop certsvc

net start certsvc


Now you will see the certificates are getting issued with 5 Years without any issues.

Leave a Reply

Your email address will not be published. Required fields are marked *