How to Issue a Certificate for Longer Than 2 Years in WS08

Although it is not a common practice to issue certificates for a long duration and therefore Microsoft doesn’t allow the default Certificate Authority (CA) in Windows Server 2008 to issue a certificate for a period of longer than 2 years, if for some reason you decide to issue a certificate for longer than the default period, here’s what you need to do.

1. Create a V3 template with the expiration period of your choice for the certificate.

2. Use the CertUtil tool to configure the maximum allowed validity. For example, the following commands will configure the certificate validity for 5 years:

CertUtil -setreg CA\ValidityPeriodUnits 5
CertUtil -setreg CA\ValidityPeriod “Years”

3. Restart the certificate service (at the command prompt type “net stop certsvc” and then “net start certsvc” without the quotes).

In Active Directory Certificate Services (AD CS), V3 certificate templates supersede the V1 and V2 certificate templates introduced in earlier versions of Windows and support the latest Windows Server 2008 CNG cryptographic algorithms. V3 templates also provide a more secure method for client validation of domain controllers, and can encrypt client and server AD CS–related communications.

NOTE: You must be running a WS08 CA in order to use V3 templates. Keep in mind that V3 templates can only be used by WS08/Windows Vista and later clients.