Having a certificate template that would last for years is a requirements that’s become more of a need during these days due to the amount of time it takes to renew the servers which are certificate dependent.

Some servers would automatically be renewed their Certificate using GPO’s auto enrollment however when this doesn’t work or if you don’t like dealing with GPO and its headache then the best way to solve this is to create a template that would last for sometime and leave you at peace.

Note that having a long term certificate (10 years for example) is not a good practice since encryption algorithm changes over the time and security related issues rise up every now and then so if you decided to go with this article and create 10 years template for your servers, you will need to keep an eye on latest news related to certificates, encryption and signature algorithm so they are not exploitable.

To begin with this article, I will tell a small story of a company that had suffered production disasters due to this might look tiny kind of problem.

A company called AP have deployed Lync 2013 (Currently Skype for Business) and decided to use the default CA (Webserver) template which lasts for 2 years by default.

This company called me when their Lync servers were all down and PSTN calls were not going through so the first thing that came to my mind is to check Services and as soon as I saw services were not able to run I checked the eventlog’s Lync tab.

The errors were mostly referring to an expired certificate. upon renewing the certificates for all servers everything went back to normal but that took long downtime and delayed the company’s productivity.

Here came the idea of creating a long template which would last for 10 years, achieving this on Exchange is done through the following steps:


On CA Server Find and open the Certification Authority MMC

Right click on Certificate Templates and click Manage

clip_image001[4]

IN certificate templates console right click on Web Server and click Duplicate template

clip_image002[4]

Select Windows Server 2003 Enterprise

clip_image003[4]

clip_image004[4]

Enable “Allow private key to be exported”

clip_image005[4]

clip_image006[4]

Select Enroll for the Authenticated users

clip_image007[4]

Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.

clip_image008[4]

Web Server V2 is on top

clip_image009[4]

Let’s check it on Certserv IIS

clip_image010[4]

Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.

So the CA certificate must be set to longer then the client’s requested Certificate limit.

clip_image011[4]

Certification Authority Issuing Certificate validity period extending

To change the Validity Period for the Root CA you can configure a CAPolicy.inf.  To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the

C:\Windows directory,:

[Version]

Signature= “$Windows NT$”

[Certsrv_Server]

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=30

From <http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx>

After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate

clip_image012[4]

When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes

clip_image013[4]

Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.

Click Ok

clip_image014[4]

After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates.

clip_image015[4]

In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.

clip_image016[4]

Run the certutil commands above to change the maximum lifetime of certs issued by the CA

certutil -setreg ca\validityperiodunits 30
certutil -setreg ca\validityperiod years
net stop certsvc net stop certsvc

Now when you try to generate a new certificate for your Exchange or any other app you should choose the new template which is 30 years valid.

clip_image018[4]

clip_image019[4]

Tags: , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.