Share via

Certificate services Troubleshooting: The Validity Period of Issued Certificate is Shorter than Configured

  • Article

I recently encountered couple of scenarios where one of the issued Certificates in Microsoft PKI infrastructure solution has validity period shorter than the period already configured on the template of this certificate. The main reason of changing and increasing the validity period/years for several specific certificates is to avoid frequent renewal process. 

The scenario I passed by recently was when a user duplicated one of the templates and changed the Validity from the default 2 Years to 4 Years and issued the new Certificate however the issued certificate still reads 2 Years. This can be due to one of two reasons:

  1. The CA certificate period /Remaining Period (CA cannot issue a certificate that is longer than its own CA certificate) is less than the user certificate period. You cannot issue a user certificate which is 10 Years valid if your Root CA is 5 years only.
  2. The default Validity Period that is allowed by CA (defined in CA reg)

To check for the CA Certificate period/Duration, you need to do the following

  1. Open the CA Console
  2. Right Click on the CA - Properties
  3. From the General TAB click View Certificate and check the duration.

http://2.bp.blogspot.com/-SqqErxiTvwM/UfEu3GEc6NI/AAAAAAAAAR4/ztcJ5u1naYI/s400/Check+CA.png

If the CA Remaining duration is less than the required user certificate duration then you need to increase the CA value and renew the CA certificate as follows:

  1. Configure CAPolicy.inf that directly controls CA certificate.
  2. Go to C:\Windows Folder, find the file CAPolicy.inf
  3. Change the "RenewalValidityPeriodUnits" value to the appropriate period (10 or 15 Years)
  4. Restart the CA Service
  5. Renew the CA Certificate (Right Click on the CA - All Tasks - Renew CA Certificate)

If the CA Period/Duration is fine and longer than the user certificate need then we need to check the default Validity Period in the CA Registry bu doing the following:

  1. Open Admin CMD on the CA server and type certutil -getreg ca

    http://2.bp.blogspot.com/-YeYD24oc684/UfExYMz39GI/AAAAAAAAASI/lTNtiy-ywI4/s400/CA+Reg.png

  2. Check the ValidityPeriodUnits which refers to the maximum** period** that this CA can issue. You can define this value according to your own requirements, but it won’t exceed the lifetime of CA.

  3. From the Same CMD run certutil -setreg ca\ValidityPeriodUnits 5 (This will increase the validity to 5 years)

  4. Stop and restart CA service.

Now try again to Enroll certificate again from client to check the validity period.