Extending Root CA Certificate lifetime

  • Article

如何檢是目前 CA 視為獨立CA 還是企業 CA?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ {Your CA name} \CAType
CAType = 0 (This means it is installed as Enterprise Root CA)
CAType = 1 (This means it is installed as Enterprise Subordinate CA)
CAType = 3 (This means it is installed as Stand Alone CA)
CAType = 4 (This means it is installed as Stand Alone Subordinate CA)

clip_image002

GOAL:
=====
To increase the Validity Period of the Enterprise Root CA.

RESOLUTION:
===========
1.CA server 本身的 生命期限
How to renew the CA certificate:

Go to the Certificate Authority and highlight the server name.
Right click and go to All Tasks. At the bottom is the option to renew CA certificate.
clip_image004
This will ask you to stop the Certificate Services. Select yes.
clip_image006
It brings up a dialog box with the option to generate a new public and private key. Select yes. 
clip_image008

It will now start the Certificate Services and your CA certificate will be renewed.
Go to start, run and type in mmc.
Go to the conosole and highlight Add/Remove Snap-in.

clip_image010
Click on the add button.  Then choose the Certificates snap-in. 
clip_image012
Add the snap-in for the Computer Account, hit the next button and select for the local computer and hit finish.

clip_image014
clip_image016

You should now have the console open for the certificates for the local computer.

Expand out the personal certificates.

Highlight the certificates on the left side and in the right pane it will show the certificates issued for the local CA.

You should now highlight the certificate with the expiration of 15 years.  (2024)

Double click on it to bring up the current certificate with the new expiration date.

Now you should be able to extend the length of time for a client certificate.
clip_image018

2.capolicy.inf 檔的日期比對
Create a new text file in notepad. Type it exactly like it is below.
However, you can change the validity period to whatever the number of years you want.  You are going to save the file as capolicy.inf under the %windir% directory.

[Version]

Signature="$Windows NT$"

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=20

Save it as a Capolicy.inf under the %windir% directory.

clip_image020
Then go back and renew your Stand Alone Certificate Authority.
Now you should be able to issue client certificates for the length of time in years that you want.

clip_image022

3.client端所持憑證的到期日
HOW TO:更改Windows 2000 憑證授權所發行的認證到期日期 (windows 2003適用)
https://support.microsoft.com/default.aspx?scid=kb;zh-tw;254632

Sample為
======= 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSrv\Configuration\<CAname>
如果我目前拿到的CA KEY 開始日為2000年1月
那我想在2010年才讓它到期,我可以這樣改
ValidityPeriod REG 打 year
ValidityPeriodUnits 打 10
clip_image024