Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Certificate Authority validity period 1

Status
Not open for further replies.

disturbedone

Vendor
Sep 28, 2006
781
AU
I am setting up NPS to use with our WiFi network. I have installed NPS on a new W2K8R2 server. Previously a CA was configured on a W2K8R2 server.

I'd like the certificate that is used in NPS for clients to have a long validity period eg 10yrs. The default certificate template called 'Computer' that is in AD has a validity period of 1yr so I duplicated it (calling it 'NPS') and changed the validity to 10yrs. I enabled that template on the CA to allow it to be issued.

From the NPS server IO request a new certificate using AD enrollment and the options available are 'Computer' and 'NPS'. Viewing the details of the 'NPS' certificate it says that the validity period is 3650 days. I choose to enrol and the certificate now shows in Certificates/Personal/Certificates but it has an expiry date in 1yr. Viewing the certificate details it shows the issue date of today and an expiry date of 1yr + 2days.

Why is it not 10yrs?
Why is it 367 not 365 days?

How can I get this certificate to be 10yrs like the template says it should be?
 
Excuse my ignorance. Certificates are relatively new to me so I'm still getting my head around it!

I have a root CA and a subordinate CA. On the root CA in the Certificate Authority snap-in I right click the server and select Properties. On the General tab it lists a certificate and viewing that it lists the dates 18/9/2013 to 18/9/2033. On the subordinate however this shows 18/9/2013 to 18/9/2015 so it looks like that's the problem - the expiry date of the certificate I was getting on the NPS server was 18/9/2013.

If I right-click the subordinate, choose 'All Tasks' there's an option to 'Renew CA Certificate' which sounds like what I'm after. It tells me:
Active Directory Certificate Services cannot be running during this operation. Do you want to stop Active Directory Certificate Services now?
I said no so id didn't do anything. I assume that I say yes and it renews the certificate. How do I check that it will get one with a longer validity?

In the 'Certificate Templates' on the DC there's one called 'Subordinate Certification Authority' with a validity of 5yrs but that doesn't match the 20yr or 1yr that other certificates show.

How do I get the subordinate to have a certificate with a longer validity?
 
I renewed the certificate on the SubCA but it's given it 2yrs.

On the RootCA it shows the issued certificate using the Certificate Template of Subordinate Certification Authority (SubCA). The template in AD has the Subordinate Certification Authority template as having a validity period of 5yrs (as I mentioned in a previous post) but it's only giving 2yrs. Why is that?
 
> but it's only giving 2yrs

Er ... did you read the first article article I linked?

The validity period of any certificate generated by a Windows CA is the lesser of these three values:
•The remaining lifetime of the root CA server
•The value specified in the certificate template
•The value specified in the CA server registry (default is 2 years)

It then explains how to change this
 
Sorry, didn't even see that link. Only saw your 2nd post/link.

I've changed the default validity period from 2yrs to 10yrs, reissued the certificate which now has 5yrs on it (using the SubCA template value).
 
Ok, one last thing......

The default template called 'Computer' has a validity period of 1yr. When I request a certificate for the NPS server I get one from this template and it works fine but I'd like a much longer time period. I duplicated the template to a new one and simply called it 'NPS' and gave it 10yrs instead of 1yr. Nothing else was changed ie it should be exactly the same just with a longer validity period. But......

I can request a certificate on the NPS server and choose this template and the certificate is received and has 10yrs on it. When I configure NPS and choose the EAP policy as Microsoft: Protected EAP (PEAP) and click the 'Configure' button to choose the certificate it gives me the error:
A certificate could not be found that can be used with this Extensible Authentication Protocol
If this is a duplicate of a template that does work why doesn't this?

About the only difference I can find is the 'Computer' template has an extension of 'Enhanced Key Usage' with client authentication and server authentication whereas the new 'NPS' template doesn't have this. Although it does have an extension of 'Application Policies' with client & server authentication.

Any ideas why this duplicate isn't a duplicate? And how do I get an actual duplicate but with 10yrs validity?
 
I duplicated the template 'RAS and IAS Server' and that works. Still no idea why duplicating the 'Computer' doesn't.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top