Extend Default Certificate Expire Date for Windows CA

We got a request from our client asking whether it is possible to increase the expire date for the SSL Certificate for their Exchange 2007 Server from 2 years to 5 or 10 years and we start to think how to Extend Default Certificate Expire Date for Windows CA

Based on How to Create Certificates with a Longer Validity Period, it seem that this is possible, and please refer to the following testing done in our lab for more detail


Most root CAs are typically valid for 5 years (Default setting during installation of Microsoft Certificate Authority (CA) Server)


SSL Certificate generated from “Web Server Template” with expire in 2 years
Increasing the CA Lifetime
  1. Creating CAPolicy.inf in %SystemRoot% – Notepad.exe C:\Windows\CAPolicy.inf

  1. Increase RenewalValidityPeriodUnits to longer period
  2. Restart CA Services – Restart-Services –name certsvc
Renew Root Certificate which valid for 10 years


Go to Certificate Authority, right on the server name and select “Renew Certificate”


Click Yes to stop the Certificate Services


Click Yes 


Go to Certificate Authority, and look for the newly generated Root Certificate. The valid from had been increase to 10 years now
Setting the Maximum Validity Period in the Registry


Certificate generated using the default Web Server Template for Exchange will be expired in 2 years


Use the following commands to verify the existing setting and extend the default certificate validity period from 2 years (default) to 5 years

Creating New Certification Template with Longer Validity


Open Certificate Authority and right click on Certificate Template > Manage


Right Click on Web Server Template and select Duplicate Template


Select Windows 2003 Enterprise Template


Enter a Name for this Certification Template and extend the validity to 5 years


Right Click on Certification Template > New > Certificate Template to Issue


Select the Certificate Template that we created just now
Please refer to the following link on how to generate SSL Certificate for Exchange 2007 – Remember to select the template that we created in stead of the default Web Server Template


You will get the SSL Certificate for Exchange Server with 5 years validity