CA到期後,如何延長期限?

  • Article

1.CA server 本身的生命期限

How to renew the CA certificate:

Go to the Certificate Authority and highlight the server name.

Right click and go to All Tasks. At the bottom is the option to renew CA certificate.

This will ask you to stop the Certificate Services. Select yes. It brings up a dialog box with the option to generate a new public and private key. Select yes. 

It will now start the Certificate Services and your CA certificate will be renewed. Go to start, run and type in mmc.

Go to the conosole and highlight Add/Remove Snap-in.

Click on the add button.  Then choose the Certificates snap-in. 

Add the snap-in for the Computer Account, hit the next button and select for the local computer and hit finish.

You should now have the console open for the certificates for the local computer.

因CA Server 預設有此網頁伺服器的憑證 . 預設是兩年.故如果要依照指定年限,以下有三個必要條件要成立
1. 憑證rootca 有效期 . 離到期日還有多久時間
2. 憑證範本中的年限
3.CA 需要修改機碼指定最大年限
依照以上三項,選擇最小者才可以使其憑證正確發佈及運作
1. 檢視 RootCa 憑證期限
開啟Certificate Authority (CA) 在 RootCA 上,按右鍵,內容.請您檢視 [一般]頁面 您亦可以看到 CA憑證" 憑證#0" 請點選[檢視憑證] 您亦可以看到目前憑證資訊 其中包含發佈及到期日
如何檢是目前 CA 視為獨立CA 還是企業 CA?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ {Your CA name} \CAType
CAType = 0 (This means it is installed as Enterprise Root CA)
CAType = 1 (This means it is installed as Enterprise Subordinate CA)
CAType = 3 (This means it is installed as Stand Alone CA)
CAType = 4 (This means it is installed as Stand Alone Subordinate CA)
2. 新增新範本 , 並指定年限

如何建立新憑證 ?

請開啟MMC 新增[憑證範本],並憑證範本.右邊視窗您可以看到所有內建範本.請在此新增您要的憑證類型範本,在此以 [程式碼簽署] 為例 您可以按右鍵[複製範本]

clip_image001

針對此範本給予一個顯示名稱.您亦可以再此定義有效期限及相關設定

clip_image002

您需要針對此憑證給於安全性設定, 例如: 此憑證是要發行給Domain Users 使用的.請您給予 [讀取]及[註冊] 權限

clip_image003

設定完成後您亦可以在[憑證範本]上看到此憑證已經建立完成

clip_image004

如何發佈新憑證 ?

請您使用MMC 開啟[憑證授權單位] ,在您的CA Server 下可以看到[憑證範本] .請您按右鍵.選擇[新增]\[要發行的憑證範本]

clip_image005

3. 設定CA Server 機碼 , 參考KB 254632 https://support.microsoft.com/kb/254632/en-us
To change the validity period settings for a CA, follow these steps.

1. Click Start, and then click Run.

2. In the Open box, type regedit, and then click OK.

3. Locate, and then click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

4. In the right pane, double-click ValidityPeriod.

5. In the Value data box, type one of the following, and then click OK:

o Days

o Weeks

o Months

o Years

.

6. In the right pane, double-click ValidityPeriodUnits.

7. In the Value data box, type the numeric value that you want, and then click OK. For example, type 2.

8. Stop, and then restart the Certificate Services service. To do so:

a. Click Start, and then click Run.

b. In the Open box, type cmd, and then click OK.

c. At the command prompt, type the following lines. Press ENTER after each line.

net stop certsvc
net start certsvc

d. Type exit to quit Command Prompt.