Extend Default Certificate Expire Date for Windows CA

We got a request from our client asking whether it is possible to increase the expire date for the SSL Certificate for their Exchange 2007 Server from 2 years to 5 or 10 years and we start to think how to Extend Default Certificate Expire Date for Windows CA

Based on How to Create Certificates with a Longer Validity Period, it seem that this is possible, and please refer to the following testing done in our lab for more detail

CA-01

Most root CAs are typically valid for 5 years (Default setting during installation of Microsoft Certificate Authority (CA) Server)

CA-02

SSL Certificate generated from “Web Server Template” with expire in 2 years
Increasing the CA Lifetime
  1. Creating CAPolicy.inf in %SystemRoot% – Notepad.exe C:\Windows\CAPolicy.inf

  1. Increase RenewalValidityPeriodUnits to longer period
  2. Restart CA Services – Restart-Services –name certsvc
Renew Root Certificate which valid for 10 years

CA-03

Go to Certificate Authority, right on the server name and select “Renew Certificate”

CA-04

Click Yes to stop the Certificate Services

CA-05

Click Yes 

CA-06

Go to Certificate Authority, and look for the newly generated Root Certificate. The valid from had been increase to 10 years now
Setting the Maximum Validity Period in the Registry

CA-07

Certificate generated using the default Web Server Template for Exchange will be expired in 2 years

CA-08

Use the following commands to verify the existing setting and extend the default certificate validity period from 2 years (default) to 5 years

Creating New Certification Template with Longer Validity

CA-09

Open Certificate Authority and right click on Certificate Template > Manage

CA-10

Right Click on Web Server Template and select Duplicate Template

CA-11

Select Windows 2003 Enterprise Template

CA-12

Enter a Name for this Certification Template and extend the validity to 5 years

CA-13

Right Click on Certification Template > New > Certificate Template to Issue

CA-14

Select the Certificate Template that we created just now
Please refer to the following link on how to generate SSL Certificate for Exchange 2007 – Remember to select the template that we created in stead of the default Web Server Template

CA-15

You will get the SSL Certificate for Exchange Server with 5 years validity
Share This