The following are assumed in this scenario:
- The root server is a standalone (off the domain) root CA server - The issuing server is an enterprise (on the domain) issuing CA server
By default, the issuing CA server certificate is good for one year. This is controlled by the root CA and is set to one year by default.
This can be verified on the root CA server:
Open PowerShell as admin:
Certutil -getreg CA\ValidityPeriodUnits
Certutil -getreg CA\ValidityPeriod
To change the issuing server’s certificate validity period to 5 years:
On the root standalone CA: Open PowerShell as admin Certutil -setreg CA\ValidityPeriodUnits 5
If ValidityPeriod is set to years already , no need to do the next command, but just in case:
Certutil -setreg CA\ValidityPeriod "Years"
For good measure:
restart-service certsvc
Verify the settings are what you want them to be:
Certutil -getreg CA\ValidityPeriodUnits Certutil -getreg CA\ValidityPeriod
When you renew the enterprise issuing server’s certificate, it should be good for 5 years. Verify this by looking at the certificate properties.