For the second time since going live with our CAMPUS Active Directory Services, the Subordinate Certificate Authority that is bound to our production domain has come very close to expiring. What gives with the default two year validity period for Microsoft CAs? Verisign’s certificates are not any less secure than ours, and they have 5+ year CA validity periods.
After much head banging, I discovered this KB:
http://support.microsoft.com/kb/254632/en-us
The reason I have been having so much trouble is that the Microsoft domain-rooted CA will use either the issuing certificate template validity period (which is what I would expect) or the maximum CA cert validity period defined in the CertSvc registry key, whichever is less (which is not what I expected at all).
After setting the registry values in the KB on my Enterprise Root CA, I now have a SubCA that has a five year validity. Huzzah!
Here is what did not work:
Creating a new Subordinate CA Certificate with a five year validity period…
This failed because the existing CA uses for renewal the template that issued it’s certificate initially. Thus, if I remove the default “SubCA” template from the list of certificate templates to issue, cert renewal fails claiming that there is no appropriate template available. I can’t seem to add the default SubCA template to the “superceded templates” list, either. It is likely that this is a hard-coded limitation; perhaps MS does not want us altering the default CA templates? Whatever… at least I get a bit more time on my certs now, thankfully.