question

Chong-7118 avatar image
0 Votes"
Chong-7118 asked Chong-7118 commented

Cannot generate certificate when Certificate template valid period longer than the CA

Hi Support,

We have a root CA and intermedia CA
In root CA, root certificate valid period is 20 years, generate certificate valid period is 1 year
In intermedia CA, generate certificate valid period is 2 years

I created a certificate template and configure the valid period is 5 years. When i generate certificate by this templates, it show error:
Unable to submit the CSR request to certificate authority.-Error Constructing or Publishing Certificate
The certificate validity period will be shorter than the xxxxx Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA.
Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.

Then I try to modify the value to 10 years by command and registry. But the problem still exist
133551-image.png
133506-image.png

Any idea?

Thank and Best Regards
Chong


windows-server
image.png (40.6 KiB)
image.png (62.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered Chong-7118 commented

Hello @Chong-7118,

By default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use.

There may be situations when you have to override the default expiration date for certificates that are issued by an intermediate or an issuing CA.

Various applications that use certificates and Public Key Infrastructure (PKI) might experience intermittent problems, such as connectivity errors, once or twice per day/week.

These problems occur because of failed verification of the end-entity certificates. Affected applications might return different connectivity errors, but they will all have untrusted root certificate errors in common. Below is an example of such an error and resolving techniques are mentioned in the below link:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/valid-root-ca-certificates-untrusted

For further details on how to change the validity period of a certificate that is issued by the Certificate Authority (CA). do follow the below link

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/change-certificates-expiration-date

Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LimitlessTechnology-2700,

Thanks for the information.

It don’t have any root certificate error. If the certificate template is set to 1-2 year, no problem when generate the certificate. But when I configure to 3 years or later, it have error.

And I try to modify and check the valid period as the provided link by cmdlet and registry. As my capture screen, both of them show 10 years already, but the error still exist

Regards
Chong

0 Votes 0 ·