Scribd Logo
Upload

Welcome to Scribd!

  • Extend Validity Period in Enterprise Root CA and Issuing CA

    Uploaded by

    Sukhbir Bhatti
    176 views4 pages
    done

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    done

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    176 views4 pages

    Extend Validity Period in Enterprise Root CA and Issuing CA

    Uploaded by

    Sukhbir Bhatti
    done

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    To extend validity period in Enterprise Root CA.

    Step1: Open Command Prompt as an Administrator and change CA validity period.

    certutil -getreg caValidityPeriod

    certutil -getreg caValidityPeriodUnits

    certutil –setreg caValidityPeriod Years

    certutil -setreg caValidityPeriodUnits 10

    Step2: Modify CA Renewal Validity Period as per CA Validity Period IN CAPolicy.inf.

    [Version]

    Signature= “$Windows NT$”

    [PolicyStatementExtension]

    Policies = AllIssuancePolicy

    Critical = FALSE

    [AllIssuancePolicy]

    OID = 2.5.29.32.0

    [Certsrv_Server]

    RenewalKeyLength=2048

    RenewalValidityPeriod=Years

    RenewalValidityPeriodUnits=10

    Note:- CA validity period and CA renewal validity period should be same such we select 10 years

    Step3:

    Restart CA service by below command, If you don’t want to renew Certificate Key.

    net stop certsvc

    net start certsvc

    If you want to renew key then don’t restart CA service and follow step4 for generate certificate

    Step4:

    1. To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools,
    and then double-click Certification Authority.
    2. In the console tree, click the name of the certification authority (CA)> Select Certification
    Authority (Computer)/CA name
    3. On the Action menu, point to All Tasks, and click Renew CA Certificate.
    4. Do one of the following:
    a. If you want to generate a new public and private key pair for the certification authority’s
    certificate, click Yes.
    b. If you want to reuse the current public and private key pair for the certification authority’s
    certificate, click No.
    5. Right Click Certification Authority (Computer)/CA name, Click Property> Click General Tab>Select
    Certificate #1>View Certificate>Check Expiry date as above mentioned CAPolicy.inf

    Step5:

    After generating the new root CA certificate copy it to AIA URL so that client can download it for
    verification.

    To extend validity period in Enterprise subordinate CA Server

    Step1:

    1. Copy CRL and new generated CA certificate file to issuing from


    c:\windows\system32\certve\GOHROOTCA_ROOTCA.crt. and CRL rootca.crl
    2. Publish Root CA certificate to Active Directory
    Open the CMD and go path where you copy .crt and crl file and run the below command
    Publish CRL: certutil –dspublish –f <CRLFile> <CAName>
    certutil.exe -dsPublish -f "C:\DAKSHU-ROOT.crl" RootCA
    Publish CA Certificate : certutil –dspublish –f <CACertificateName> <CAName>
    certutil.exe –dsPublish –f "C:\RootCA_Dakshu Root Certificate Authority.crt" RootCA
    3. Add Root CA cert and CRL to local store
    Finally, you need to add the Root CA cert and CRL to the local certificate stores.
    On the server: issuingCA, enter the following in an elevated command prompt:
    certutil.exe –addstore –f root "C:\RootCA_Dakshu Root Certificate Authority.crt"
    certutil.exe –addstore –f root "C:\DAKSHU-ROOT.crl"

    Step2: Open Command Prompt as an Administrator and change CA validity period.

    certutil -getreg caValidityPeriod

    certutil -getreg caValidityPeriodUnits

    certutil –setreg caValidityPeriod Years

    certutil -setreg caValidityPeriodUnits 10

    Step3: Modify CA Renewal Validity Period as per CA Validity Period IN CAPolicy.inf.

    [Version]

    Signature= “$Windows NT$”

    [PolicyStatementExtension]

    Policies = AllIssuancePolicy
    Critical = FALSE

    [AllIssuancePolicy]

    OID = 2.5.29.32.0

    [Certsrv_Server]

    RenewalKeyLength=2048

    RenewalValidityPeriod=Years

    RenewalValidityPeriodUnits=5

    Step4:

    Restart CA service by below command, If you don’t want to renew Certificate Key.

    net stop certsvc

    net start certsvc

    If you want to renew key then don’t restart CA service and follow step4 for generate certificate

    Step4:

    1. To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools,
    and then double-click Certification Authority.
    2. In the console tree, click the name of the certification authority (CA)> Select Certification
    Authority (Computer)/CA name
    3. On the Action menu, point to All Tasks, and click Renew CA Certificate.
    4. Do one of the following:
    a. If you want to generate a new public and private key pair for the certification authority’s
    certificate, click Yes.
    b. If you want to reuse the current public and private key pair for the certification authority’s
    certificate, click No.
    5. If a parent CA is available online
    a. Click Send the request directly to a CA already on the network.
    b. In Computer Name, type the name of the computer on which the parent CA is installed.
    c. In Parent CA, click the name of the parent CA.
    6. If a Root CA is Offline or not a member of domain
    a. Click Save the request to a file.
    b. In Request file, type the path and file name of the file that will store the request.
    c. Obtain this subordinate CA’s certificate from the root CA.
    7. Open Certification Authority>click the name of the CA. Certification Authority (Computer)/CA
    name
    8. On the Action menu, point to All Tasks, and then click Install CA Certificate.
    9. Locate the certificate file received from the parent certification authority, click this file, and
    then click Open.
    10. Right Click Certification Authority (Computer)/CA name, Click Property> Click General Tab>Select
    Certificate #1>View Certificate>Check Expiry date as above mentioned CAPolicy.inf

    You might also like