Microsoft KB Archive/239539

= Change the certificate validity period from the default of one year =

Article ID: 239539

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Internet Information Server 4.0
 * Microsoft Certificate Server 1.0

-



This article was previously published under Q239539



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



Certificate Services in Windows Server 2003 and in Windows 2000 Server
For Microsoft Windows Server 2003 or for Microsoft Windows 2000 Server, the validity period for the Root certification authority (CA) certificate in Certificate Services is configured during the Setup process for Certificate Services. The following certificates are valid for up to five years. However, these certificates are never valid longer than the Root CA certificate is valid.
 * Subordinate CA
 * Internet Protocol Security
 * Enrollment Agent
 * Domain Controller

All other certificates are valid for up to one year. However, they are never valid longer than the Root CA certificate is valid.

Microsoft Certificate Server 1.0
By default, certificates that Microsoft Certificate Server 1.0 issues are valid for one year. The validity period of a root Microsoft Certificate Server CA certificate is five years for Certificate Server 1.0. The validity period of a non-root Microsoft Certificate Server CA certificate is controlled by the issuing CA. Certificates that your Certificate Server issues will expire no later than the same time that your CA certificate expires.

For example, if there are only two years left on your CA certificate, issued certificates will be valid for no more than two years, even if you set the registry to issue five-year certificates.

