Outlook anywhere
Hi
I need to setup outlook anywhere on exchange server 2007 but i need a ssl certificate that has an expiry date of more than 3 years.
I am using a CA 2008.
How can i increase the expiry date of a certificate issued by a CA 2008?
Thx
MCITP Enterprise Messaging Administrator, MCITP Enterprise Administrator, MCSE, MCDBA
January 13th, 2011 4:48pm
Hi here is the answer:
This article describes how to change the validity period of a certificate that is issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority (CA).
By default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use. There may be situations when you have to override the default expiration date
for certificates that are issued by an intermediate or an issuing CA.
The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and Enterprise CAs. For Enterprise CAs, the default registry setting is two years. For Stand-alone CAs, the default registry setting is one year. For
certificates that are issued by Stand-alone CAs, the validity period is determined by the registry entry that is described later in this article. This value applies to all certificates that are issued by the CA.
For certificates that are issued by Enterprise CAs, the validity period is defined in the template that is used to create the certificate. Windows 2000 and Windows Server 2003 Standard Edition do not support modification of these templates. Windows Server 2003
Enterprise Edition supports Version 2 certificate templates that can be modified. The validity period defined in the template applies to all certificates issued by any Enterprise CA in the Active Directory forest. A certificate that is issued by a CA is valid
for the minimum of the following periods of time:
The registry validity period that is noted earlier in this article.
This applies to the stand-alone CA, and Subordinate CA certificates issued by the Enterprise CA.
The template validity period.
This applies to the Enterprise CA. Templates supported by Windows 2000 and Windows Server 2003 Standard Edition cannot be modified. Templates supported by Windows Server Enterprise Edition (Version 2 templates) do support modification.
For an Enterprise CA, the validity period of an issued certificate is set to the minimum of all the following:
The registry validity period of the CA (example: ValidityPeriod == “Years”, ValidityPeriodUnits == 1)
The template validity period The remaining validity period of the signing certificate of the CA If the EDITF_ATTRIBUTEENDDATE bit is enabled in the policy module’s EditFlags registry value, the validity period specified through the request attributes (“ExpirationDate:Date“ or “ValidityPeriod:Years\nValidityPeriodUnits:1”)
Notes
The ExpirationDate:Date syntax was not supported until Windows Server 2008. For a stand-alone CA, no templates are processed. Therefore, the template validity period does not apply.
The expiration date of the CA certificate
A CA cannot issue a certificate with a longer validity period than its own CA certificate. For more information about certificate templates, see the "Implementing and Administering Certificate Templates in Windows Server 2003" white paper. To do this, visit
the following Web site:
http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?mfr=true
(http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?mfr=true)
Note The Request Attribute name is made up of value string pairs that accompany the request and that specify the validity period. By default, this is enabled by a registry setting on a Standalone CA only.
Back to the top
To Change the Expiration Date of Certificates That Are Issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority
To change the validity period settings for a CA, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added
protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge
Base:
322756
(http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
Click Start, and then click Run. In the Open box, type regedit, and then click
OK. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>
In the right pane, double-click ValidityPeriod. In the Value data box, type one of the following, and then click
OK:
Days Weeks Months Years
. In the right pane, double-click ValidityPeriodUnits. In the Value data box, type the numeric value that you want, and then click
OK. For example, type 2. Stop, and then restart the Certificate Services service. To do so:
Click Start, and then click Run. In the Open box, type cmd, and then click
OK. At the command prompt, type the following lines. Press ENTER after each line.
net stop certsvc
net start certsvc
Type exit to quit Command Prompt.
Regards
Ron
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2011 10:19am
I am using a CA 2008 not 2003 or 2000MCITP Enterprise Messaging Administrator, MCITP Enterprise Administrator, MCSE, MCDBA
January 14th, 2011 3:01pm
Hi Elie,
Did you make a test follow above.
Windows 2008 is almost the same as windows 2003.
Regards!
GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2011 4:31am