07-24-2018 11:16 PM
Hi Team,
I'm testing to issue certificates for EAP-TLS, and found expiration TTL is always set to 2 years for server cert.
When I configured certificate templates for client cert, I could set 3652 days at maximum.
But when I configured CSR for server certificate, I couldn't set the period.
As the result, certificate for server is always issued with 2 years valid period
even though MS CA template permits to issue longer period.
Now my customer wants to issue client cert with maximum 3652 days, so want to issue server cert with similar period. How can I change the period? Does it require generating privacy key on different place?
Solved! Go to Solution.
07-25-2018 12:39 AM
Hi go to certificates>system certificates >generate new self signed certificate
Chose from options for what you will use it Admin portal EAP authentication etc.
Chose period you want Expiration TTL .
If you chose to use it for eap-tls be sure that client machines must have this certificate in trust authority
otherwise authentication will fail
07-25-2018 02:10 PM
If you are using MS CA to sign the CSR of an ISE server certificate, then the certificate template used in MS CA will determine how long it good for and, of course, the root CA and any intermediate CA certificates need to be valid much longer than any end-entity certificates the MS CA service signs.
Usually we duplicate one of existing certificate templates (e.g. Web Server), update the validity period, and then add it as a Certificate Template to Issue.
07-25-2018 12:39 AM
Hi go to certificates>system certificates >generate new self signed certificate
Chose from options for what you will use it Admin portal EAP authentication etc.
Chose period you want Expiration TTL .
If you chose to use it for eap-tls be sure that client machines must have this certificate in trust authority
otherwise authentication will fail
07-25-2018 05:01 PM
07-25-2018 02:10 PM
If you are using MS CA to sign the CSR of an ISE server certificate, then the certificate template used in MS CA will determine how long it good for and, of course, the root CA and any intermediate CA certificates need to be valid much longer than any end-entity certificates the MS CA service signs.
Usually we duplicate one of existing certificate templates (e.g. Web Server), update the validity period, and then add it as a Certificate Template to Issue.
07-25-2018 05:34 PM
Thanks. As I stated in 1st message, the template permits longer period. I actually already set the value to 10 years, but didn't work.
But anyway I found the root cause of the issue. It caused by registry setting.
After change the key "ValidityPeriodUnits" from 2 to 20. Certificate began to come with expected period (10 years).
Thanks so much for all supports!
07-28-2018 09:27 AM
Yes, you are correct on this. I've not been setting up MS CA recently so forgot all about it.
This MS Wiki explains it in more details --
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide