Hi Team,
I'm testing to issue certificates for EAP-TLS, and found expiration TTL is always set to 2 years for server cert.
When I configured certificate templates for client cert, I could set 3652 days at maximum.
But when I configured CSR for server certificate, I couldn't set the period.
As the result, certificate for server is always issued with 2 years valid period
even though MS CA template permits to issue longer period.
Now my customer wants to issue client cert with maximum 3652 days, so want to issue server cert with similar period. How can I change the period? Does it require generating privacy key on different place?
Accepted Solutions
If you are using MS CA to sign the CSR of an ISE server certificate, then the certificate template used in MS CA will determine how long it good for and, of course, the root CA and any intermediate CA certificates need to be valid much longer than any end-entity certificates the MS CA service signs.
Usually we duplicate one of existing certificate templates (e.g. Web Server), update the validity period, and then add it as a Certificate Template to Issue.
If you are using MS CA to sign the CSR of an ISE server certificate, then the certificate template used in MS CA will determine how long it good for and, of course, the root CA and any intermediate CA certificates need to be valid much longer than any end-entity certificates the MS CA service signs.
Usually we duplicate one of existing certificate templates (e.g. Web Server), update the validity period, and then add it as a Certificate Template to Issue.
Thanks. As I stated in 1st message, the template permits longer period. I actually already set the value to 10 years, but didn't work.
But anyway I found the root cause of the issue. It caused by registry setting.
After change the key "ValidityPeriodUnits" from 2 to 20. Certificate began to come with expected period (10 years).
Thanks so much for all supports!
