3.9 Setting certificate lifetime

By default, the Microsoft CA ignores the settings for certificate lifetime from MyID. The default validity period for the CA is two years, and no certificate issued will exceed this. If you want to change the global certificate lifetime limit, you can do so on the CA.

To specify certificate lifetime on the CA:

1. Log on to the CA as an Administrator.

2. At the command prompt, type:

   certutil -setreg CA\ValidityPeriodUnits 3

   This sets the certificate lifetime to three years.

3. Restart the CA by entering the following commands, pressing Enter after each one:

   1. NET STOP certsvc
   2. NET START certsvc

Note: This set the maximum lifetime for any certificate. Individual certificate templates may have lifetimes that are shorter; if the certificate template has a lifetime that is longer than the CA validity period, the certificates issued will be restricted to the CA validity period. For example, if the CA validity period is 2 years, and the certificate template has a lifetime of 5 years, the certificates issued will have a lifetime of 2 years.

3.9.1 Controlling the certificate lifetime from MyID

You can set the CA to allow MyID to pass requests for specific certificate lifetimes.

To allow MyID to specify certificate lifetime:

1. Log on to the CA as an Administrator.

2. At the command prompt, type:

   certutil –setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE

3. Restart the CA by entering the following commands, pressing Enter after each one:

   1. NET STOP certsvc
   2. NET START certsvc

Note: If you set this option on the CA, MyID can override the default ValidityPeriodUnits setting on a certificate-by-certificate basis. However, MyID can only reduce the validity period of a certificate – you cannot increase the validity period by specifying a value in MyID.

If you request a certificate with a longer period than is permitted by the CA, the request will be rejected by the CA.

3.9.2 Specific certificate expiry time

MyID can specify the expiry time for certificates. If the expiry time for the certificate is later than the expiry date for the device, and the Restrict certificate lifetimes to the card option (on the Certificates page of the Operation Settings workflow within MyID) is set to Yes, the certificate lifetime is reduced to match the lifetime of the device.

For example, if you issue a device at 09:18:44 GMT on Tuesday, 03 May 2011 with a lifetime of 6 days, the device will expire at 09:18:44 GMT on Monday, 09 May 2011. MyID requests a certificate for this device with the following details:

• ValidityPeriod: Days

• ValidityPeriodUnits: 6

• ExpirationDate: Mon, 09 May 2011 09:18:44 GMT

The certificate expiration date will be as specified in the request: 09/05/2011 09:18:44. This matches the expiry date of the device. The ValidityPeriodUnits setting is ignored.

However, if the ExpirationDate is not present in the request, the ValidityPeriodUnits setting is used instead.

3.9.2.1 A note on the display of certificate dates within MMC

The certificate request is in GMT, but in the Microsoft Management Console Certification Authority snap-in, the certificate expiry date is displayed in the local time; for example, BST or MDT.

The Microsoft Management Console Certification Authority displays certificate dates to the minute, but the CA works with certificate dates to the millisecond; for example, in the MMC the date may be displayed as 09:18, but the certificate may actually be configured to expire at 09:18:44.000.

Note: You may see an anomaly in the Windows user interface, where the column displaying the certificate requests may be truncated without any indication; view the request properties dialog to display the full request.