Issue
I created a Certificate Template to enable me to issue 5 year validity certificates to Skype for Business Servers, following the process detailed in this article.
When submitting requests to use the new Certificate Template, certificates continued to be issued for 2 years only.
Resolution
The Enterprise CA only issues certificates that are valid for a maximum of 2 years.
To determine the validity period, and unit, run the following commands.
certutil.exe -getreg ca\ValidityPeriod
certutil.exe -getreg ca\ValidityPeriodUnits
In my example, it’s 2 years.
certutil.exe -getreg ca\ValidityPeriod HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\X500-X500INT-CA\ValidityPeriod: ValidityPeriod REG_SZ = Years CertUtil: -getreg command completed successfully.
certutil.exe -getreg ca\ValidityPeriodUnits HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\X500-X500INT-CA \ValidityPeriodUnits: ValidityPeriodUnits REG_DWORD = 2 CertUtil: -getreg command completed successfully.
To change the validity period to 5 years, run the following command.
certutil.exe -setreg ca\ValidityPeriodUnits 5 SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\X500-X500INT-CA\ValidityPeriodUnits: Old Value: ValidityPeriodUnits REG_DWORD = 2 New Value: ValidityPeriodUnits REG_DWORD = 5 CertUtil: -setreg command completed successfully The CertSvc service may need to be restarted for changes to take effect.
Restart the Certificate Services service.
net stop certsvc net start certsvc
5 year certificates can now be issued.
If you end up here because you ran something like the following:
certutil.exe -setreg ca\ValidityPeriodUnits=5
And got the following error:
Expected at least 2 args, received 1
CertUtil: Missing argument
It’s because you don’t need “=”, it should be a space as detailed in this article.
LikeLike