With existing public key infrastructures, you may find that the validity of the root certification authority certificate has not proven itself. For example, it could be that it was chosen too short (the default setting of the Microsoft ADCS is only five years), or even too long, which may not be optimal from a security perspective.
If you renew the certification authority certificate, you may want to achieve a different validity period.
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The root certification authority signs itself. Therefore, the configuration regarding its renewal cannot be found in the registry, but in the file capolicy.infwhich is also used during the installation of a certification authority.
It is located in the Windows directory, usually under "C:\Windows\capolicy.inf".
If it does not exist, it must first be created.
The file must be saved with ANSI coding. The designation "ANSI" corresponds to the character code Windows-1252 (Latin-1, Western European) in the Windows ecosystem.
| Option | Description | Example value |
|---|---|---|
| RenewalKeyLength | The key length, should the renewal be carried out with a new key pair. | 4096 |
| RenewalValidityPeriod | The time unit for the validity of the new certification authority certificate. | Years |
| RenewalValidityPeriodUnits | The number of time units for the validity of the new certification authority certificate. | 10 |
A minimal configuration file could therefore look like this:
[Version]
Signature= "$Windows NT$"
[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
The "RenewalValidityPeriod" and "RenewalValidityPeriosUnits" can be used to control how long the new certification authority certificate should be valid. This means that a certification authority certificate can be given either a longer or shorter validity period than before when it is renewed.
However, there is one special feature to note here: A subsequent certification authority certificate can never have a shorter validity than the previous one. A shortening is therefore quite possible, but not if the end date of the new certificate would be before that of the previous one.
English 
Deutsch