This article is a short post on how to increase both the validity time of the Root CA certificate and certificates issued either directly from the Root CA or from a Subordinate CA (issuing CA) on Windows Servers running the Certificate Services.
I reinstall my lab environment from time to time and have had to deal with too short a validity period for these two use cases in some scenarios, so this article is just me quickly going through how to fix this.
!! Do note that changing the validity period for your Root CA requires you to regenerate your Root CA certificate for the changes to take effect, making the previous one invalid. Do not do this lightly in production environments that are already up and running !!
By default, the Root CA certificate in Microsoft’s Certificate Services is only valid for 5 years and issued certificates from the Root CA (or sub-CAs) are only valid for 2 years.
Changing your Root CA server every 5 years is probably a huge task for most environments and most deployments tend to increase the validity time of the Root CA certificate significantly when the Root CA server is initially installed.
As for issued certificates only lasting 2 years, while this is a valid best practice for security reasons, there might be a time when you want to issue a certificate that lasts longer, for various reasons.
Using the solutions below, we will fix both of these problems.
Since Root CA servers are supposed to exist for a very, very long time and not really do any more work after issuing sub-CA certificates for the sub-CAs who will actually spend time issuing certificates, it is wise to set the validity period of the Root CA certificate to maybe 20 years or so.
Create a file named “CAPolicy.inf” and place it in the folder C:\Windows\ on your Root CA.
Use the following parameters to set the validity period for the Root CA certificate to 20 years.
[Version]
Signature = "$Windows NT$"
[certsrv_server]
RenewalValidityPeriodUnits = 20
RenewalValidityPeriod = years