question

EF75 avatar image
0 Votes"
EF75 asked EF75 edited

Certificate authority validation and Custom Template

We have:
- Windows 2016 CA servers .
- Root CA with 5 years valdiation 4/22/2020 4/22/2025
- 2 Sub-ordinate Enterprise CA with the default validation of 2 years
- Certificate #0 4/22/2020 4/22/2022
- Certificate #1 4/28/2020 4/28/2022
- We did create a custom Webserver template with 3 years validation
- We did create a custom workstation template with 2 years validation for RADIUS auth enrolled through auto Enrollment GPO, and hit the Auto Enroll option for the workstations Security group within that template.. we have already enrolled this cert to several workstations.
1- When we issue a webserver certificate using the template, the validation date is till 4/28/2022, even the template is based on 3 years validation! why is that ?
2- We want to modify the existing validation date of Certificate #1, and extend it to 3 years using the same key.. how can we achieve this ? what is the impact on existing enrolled / issued certificates to the workstations since the certificates are used for Radius auth using Aruba Clearpass ?
After extending the period do we need to re-issue or change the values of the custom created CA templates like the workstations and the webservers ? we want avoid that fact the workstations will get two sets of certificates enrolled automatically .
3- Can we remove the Certificate #0 4/22/2020 4/22/2022, since we don't use it ? how we can do this ? any impact ?
Running the below commands on the Root CA server
certutil -getreg ca\ValidityPeriod
(This returns the current value of 2)
certutil -getreg ca\ValidityPeriodUnits
(This returns the current value of Years)
Example is that before the above change, we created a custom template with a validity date of 2 years and issued some certificates (those had a 2 year expiration).
If we change this template from 2 to 3 for validity period, does this cause already issued certificates from this template to stop working or do they continue to work and any newly issued certificate would get the new validity period?
Thanks for finding the time to answer our questions.

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered FanFan-MSFT commented

Hi There,
Anyone can response on the remarks mentioned above?
As well as we are having a strange issue, since we are using Enterprise CA installed on a domain joined Root CA and Sub-ordinate CA servers ( not DC's ) , we are expecting and by design to have the root and intermediate published automatically to the trust root certificate authority and intermediate certificate authority local stores once we add/join the servers to the domain, which is not the case right now, can anyone help on this ? Do we need to apply changes on the rootca server or intermediate ca server to get this done ?
Thanks again !

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Eifra
Do you mind open a new thread?
It will make more users see your question and can provided more useful advice.

Best Regards,

0 Votes 0 ·
EF75 avatar image
0 Votes"
EF75 answered EF75 edited

I just happen to add a new thread,
https://docs.microsoft.com/en-us/answers/questions/485358/root-and-sub-ca-not-getting-automatically-publishe.html
can you also help answering my latest concerns ?
Thank you

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.