we have windows server 2003 enterprise running ms certificate services. we had created some templates with a 3 year validity period when we were using the 5 year issuing ca cert. we could only get those certs to issue 2 years certs. we found out that templates can only be issued with half life on issuing ca cert. so when we reached the half life of our issuing ca cert (5 year cert), we renewed issuing ca cert with 6 years life. we then tried to use issue new certs using the templates with 3 year validity period and issuing ca using 6 year validity period. we still only get a 2 year cert for those templates. i am able to create new template with 3 year life and get issued a 3 year cert. i check the registry for the template cache for original templates and see the validity period (3) is the same value as a new 3 year template created using 6 year issuing ca cert. i modifed the certs templates and change validity period but still only a 2 year cert gets issued. i made a copy of templates we created and set validity period to 3 years. The templates issues 2 years certs. is there another value that needs to be changed to make the those templates issue a 3 year cert or is it necessary to create new templates?

Hi Rogelio, Can you check the values of the following Certificate Services registry keys on each CA in the chain? 1. certutil -getreg ca\ValidityPeriod 2. certutil -getreg ca\ValidityPeriodUnits Reference: http://support.microsoft.com/kb/281557

here is the information requestd. This is for iIsuing CA only. The Root CA is offline. Will post info later. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Documents and Settings\xxx>certutil -getreg ca\ValidityPeriod HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Lam R esearch Issuing CA1\ValidityPeriod: ValidityPeriod REG_SZ = Years CertUtil: -getreg command completed successfully. C:\Documents and Settings\xxx>certutil -getreg ca\ValidityPeriodUnits HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Lam R esearch Issuing CA1\ValidityPeriodUnits: ValidityPeriodUnits REG_DWORD = 2 CertUtil: -getreg command completed successfully.

raise the value to higher value. For example, set it to 6 years (as a CA cert validity period): certutil -setreg ca\validityperiodunits 6 and restart certificate services.http://en-us.sysadmins.lv

will do.... made change...that did the trick...thanks for the help