Change the certificate validity period from the default of one year (239539)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Internet Information Server 4.0
  • Microsoft Certificate Server 1.0
This article was previously published under Q239539
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

Certificate Services in Windows Server 2003 and in Windows 2000 Server

For Microsoft Windows Server 2003 or for Microsoft Windows 2000 Server, the validity period for the Root certification authority (CA) certificate in Certificate Services is configured during the Setup process for Certificate Services. The following certificates are valid for up to five years. However, these certificates are never valid longer than the Root CA certificate is valid.
  • Subordinate CA
  • Internet Protocol Security
  • Enrollment Agent
  • Domain Controller
All other certificates are valid for up to one year. However, they are never valid longer than the Root CA certificate is valid.

Microsoft Certificate Server 1.0

By default, certificates that Microsoft Certificate Server 1.0 issues are valid for one year. The validity period of a root Microsoft Certificate Server CA certificate is five years for Certificate Server 1.0. The validity period of a non-root Microsoft Certificate Server CA certificate is controlled by the issuing CA. Certificates that your Certificate Server issues will expire no later than the same time that your CA certificate expires.

For example, if there are only two years left on your CA certificate, issued certificates will be valid for no more than two years, even if you set the registry to issue five-year certificates.

REFERENCES

For more information about how to change the expiration date of certificates that are issued by a Windows Server 2003 CA or by a Windows 2000 Server CA, click the following article number to view the article in the Microsoft Knowledge Base:

254632 How to change the expiration date of certificates that are issued by a Windows Server 2003 or a Windows 2000 Server certificate authority

Modification Type:MinorLast Reviewed:3/20/2006
Keywords:kbhowto KB239539
©2004 Microsoft Corporation. All rights reserved.