3.9 Setting certificate lifetime
By default, the Microsoft CA ignores the settings for certificate lifetime from MyID. The default validity period for the CA is two years, and no certificate issued will exceed this. If you want to change the global certificate lifetime limit, you can do so on the CA.
To specify certificate lifetime on the CA:
-
Log on to the CA as an Administrator.
-
At the command prompt, type:
certutil -setreg CA\ValidityPeriodUnits 3
This sets the certificate lifetime to three years.
-
Restart the CA by entering the following commands, pressing Enter after each one:
- NET STOP certsvc
- NET START certsvc
Note: This set the maximum lifetime for any certificate. Individual certificate templates may have lifetimes that are shorter; if the certificate template has a lifetime that is longer than the CA validity period, the certificates issued will be restricted to the CA validity period. For example, if the CA validity period is 2 years, and the certificate template has a lifetime of 5 years, the certificates issued will have a lifetime of 2 years.
3.9.1 Controlling the certificate lifetime from MyID
You can set the CA to allow MyID to pass requests for specific certificate lifetimes.
To allow MyID to specify certificate lifetime:
-
Log on to the CA as an Administrator.
-
At the command prompt, type:
certutil –setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
-
Restart the CA by entering the following commands, pressing Enter after each one:
- NET STOP certsvc
- NET START certsvc
Note: If you set this option on the CA, MyID can override the default ValidityPeriodUnits setting on a certificate-by-certificate basis. However, MyID can only reduce the validity period of a certificate – you cannot increase the validity period by specifying a value in MyID.
If you request a certificate with a longer period than is permitted by the CA, the request will be rejected by the CA.