Microsoft Standalone CA - Set expiration date of an individual request

Posted by Hall72215 on Server Fault See other posts from Server Fault or by Hall72215
Published on 2012-06-21T14:58:21Z Indexed on 2012/06/21 15:17 UTC
Read the original article Hit count: 1714

I have set up a Microsoft Standalone CA on 2008 R2 as a root CA. I'm trying to setup a subordinate Enterprise CA. I generated the certificate request, and submitted it to the root CA. Then, I ran the following command to set the expiration date to 20 years (the request ID is 5):

certutil -setattributes 5 "ValidityPeriod:Years\nValidityPeriodUnits:20"

Then, I approved the request, but it failed. The Request Status Code is:

The specified time is invalid. 0x8007076d (WIN32: 1901)

The Request Disposition Message is:

Denied by Policy Module  0x8007076d, The requested validity period is invalid.
Confirm that the validity period or expiration data and time specified in the request
does not extend beyond the validity period of the CA certificate, the certificate 
template, and the CA.  The validity period of the CA can be verified by running the 
following commands: certutil -getreg ca\validityPeriod 
                  & certutil -getreg ca\ValidityPeriodUnits

The validity period of the CA certificate is 40 years (expires in 2052). The template condition doesn't apply since this is a standalone CA. The result of those commands is Years and 1, respectively.

It appears that I will need to change the CA's validityPeriod and validityPeriodUnits. But, I want to keep the default expiration for a request at 1 year. Is there a way to set a maximum and default expiration, or am I going to have to change it, issue the certificate, and then change it back?

© Server Fault or respective owner

Related posts about certificate-authority

Related posts about ad-certificate-services