How to Set an Enterprise Subordinate CA to Have a Different Certificate Validity Period than the Parent CA
This article describes how to set an enterprise subordinate certification authority (CA) to have a different certificate validity period than that of the parent CA.
Applies to: Windows Server 2012 R2
Original KB number: 281557
Summary
You can use the following steps to give a subordinate CA a different certificate validation period than that of the parent CA. This process is divided into the following three steps:
Step 1: Set the validation period on the parent CA. Step 2: Install the subordinate CA. Step 3: Set the validation time back on the parent CA.
Set the validation period on the parent CA. To do this, use the following commands to set the desired validation period on the parent CA that will issue the certificate of the subordinate CA:
certutil -setreg ca\ValidityPeriod "Weeks" certutil -setreg ca\ValidityPeriodUnits "3"Install the subordinate CA. Make sure that you use the parent CA that you used in step 1.
Reset the validation period on the parent CA that issued the certificate of the subordinate CA (for example, "2 years", which is the default value). To do this, use the following commands:
certutil -setreg ca\ValidityPeriod "Years" certutil -setreg ca\ValidityPeriodUnits "2"Note
If you run
certutil -getreg ca\val*on the subordinate CA, both the ValidityPeriod property and the ValidityPeriodUnits property are still synchronized with the parent CA, even though the subordinate CA certificate is only valid for three weeks.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for