Extending Root CA Certificate lifetime

如何檢是目前 CA 視為獨立CA 還是企業 CA?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Your CA name}\CAType
CAType = 0 (This means it is installed as Enterprise Root CA)
CAType = 1 (This means it is installed as Enterprise Subordinate CA)
CAType = 3 (This means it is installed as Stand Alone CA)
CAType = 4 (This means it is installed as Stand Alone Subordinate CA)


To increase the Validity Period of the Enterprise Root CA.

1.CA server 本身的 生命期限
How to renew the CA certificate:

Go to the Certificate Authority and highlight the server name.
Right click and go to All Tasks. At the bottom is the option to renew CA certificate.
This will ask you to stop the Certificate Services. Select yes.
It brings up a dialog box with the option to generate a new public and private key. Select yes. 

It will now start the Certificate Services and your CA certificate will be renewed.
Go to start, run and type in mmc.
Go to the conosole and highlight Add/Remove Snap-in.

Click on the add button.  Then choose the Certificates snap-in. 
Add the snap-in for the Computer Account, hit the next button and select for the local computer and hit finish.


You should now have the console open for the certificates for the local computer.

Expand out the personal certificates.

Highlight the certificates on the left side and in the right pane it will show the certificates issued for the local CA.

You should now highlight the certificate with the expiration of 15 years.  (2024)

Double click on it to bring up the current certificate with the new expiration date.

Now you should be able to extend the length of time for a client certificate.

2.capolicy.inf 檔的日期比對
Create a new text file in notepad. Type it exactly like it is below.
However, you can change the validity period to whatever the number of years you want.  You are going to save the file as capolicy.inf under the %windir% directory.


Signature=”$Windows NT$”





Save it as a Capolicy.inf under the %windir% directory.

Then go back and renew your Stand Alone Certificate Authority.
Now you should be able to issue client certificates for the length of time in years that you want.


HOW TO:更改Windows 2000 憑證授權所發行的認證到期日期 (windows 2003適用)

如果我目前拿到的CA KEY 開始日為2000年1月
ValidityPeriod REG 打 year
ValidityPeriodUnits 打 10


Comments (1)

  1. Anonymous says:

    Data Protection Manager 2007 and protected servers open connections over TCP port 5718 and over TCP port 5719 to enable Data Protection Manager operations, such as synchronization and recovery. The current problem may occur on protected servers that are running the Microsoft Exchange System Attendant service. This service uses TCP ports dynamically. This service may take one or both of the required ports.

    Data Protection Manager 2007 also uses the following ports: