A question about ValidityPeriodUnits and ValidityPeriod

-

hello all

can please me following question.

i understand above can set in capolicy.inf file when building ca or post build using certutil e.g.

certutil -setreg ca\validityperiodunits 5 

certutil -setreg ca\validityperiod "years"

so understand if in capolicy.inf file sets notafter date of ca certificate (e.g. ca cert last 5 years in above example).

i assume when used via certutil (on built ca) can used further limit maximum notafter date of certs ca issues.

for example if ca cert set 10 years (via above settings in capolicy.inf file), , want limit certs issued ca maximum of 5 years (rather 10 years) set registry value above.

are assumptions above correct?

if case limit maximum notafter date of certs issued via templates (e.g. enterprise joined ca) or non-enterprise (standalone) ca's. example if ca cert 10 years , create copy of webserver template , adjusted period 5 years, set above registry values 3 years (restarted services) maximum age of webserver cert 3 years despite fact template says 5 because of registry key?

thanks all

aanotheruser__

aanotheruser__

on thu, 12 mar 2015 14:40:04 +0000, aanotheruser wrote:

can please me following question.

understand above can set in capolicy.inf file when building ca or post build using certutil e.g.

certutil -setreg ca\validityperiodunits 5 

certutil -setreg ca\validityperiod "years"

understand if in capolicy.inf file sets notafter date of ca certificate (e.g. ca cert last 5 years in above example).

assume when used via certutil (on built ca) can used further limit maximum notafter date of certs ca issues.

example if ca cert set 10 years (via above settings in capolicy.inf file), , want limit certs issued ca maximum of 5 years (rather 10 years) set registry value above.

assumptions above correct?

no, not correct. using capolicy.inf or certutil both exactly
same thing. both set these values in registry of ca which
in turn has impact on certificates ca issues. have no
impact on lifetime of ca certificate itself. in case of subca
lifetime of ca cert determined parent ca issues its
cert. in case of root ca lifetime of cert determined when
running configuration wizard.


if case limit maximum notafter date of certs issued via templates (e.g. enterprise joined ca) or non-enterprise (standalone) ca's. example if ca cert 10 years , create copy of webserver template , adjusted period 5 years, set above registry values 3 years (restarted services) maximum age of webserver cert 3 years despite fact template says 5 because of registry key?

in case of enterprise ca, maximum lifetime of certificate is
determined by:

1. registry entries validityperiod , validityperiodunits.
2. certificate template values.
3. remaining lifetime of ca cert itself.

the maximum lifetime shorter of above values.

paul adare - fim cm mvp
aim please. ourselves, mostly, aim please. -- a. deboer



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Group Policy Event ID 1058 Error Code 1326 (The user name or password is incorrect)

-
i seeing odd error on 1 of our domain controllers. have dealt event id 1058 errors whereby policy (or policies) not replicating, receiving error along error code 1326 on server, , apparently happening default domain policy: log name:      system source:        microsoft-windows-grouppolicy date:          8/10/2015 3:09:54 pm event id:      1058 task category: none level:         error keywords:      user:          s-1-5-21-1484152634-2550175353-3916092219-3287 computer:      <dc name>.<domainname> description: processing of group policy failed. windows attempted read file http://schemas.microsoft.com/win/2004/08/events/event ">   <system>     <provi...
Read more

Suspicious event log Event ID: 4905

-
hi thr, could please me understand causing such event logs generate ? as  i understand, vssvc.exe pertains volume shadow copy used backup purpose.  we have third party application used taking backup of servers. the event longs generated following messages: 1) attempt made unregister security event source. 2) attempt made register security event source. these events not regular generated on random days. standard fields: date:               2013/10/19 time:               02:32:19 importance:         critical rule name:          security event monitored machine:  <domain controller> log format:         windows log name:           security event id:           4905 in work hours:      yes dynamic fields: internal timestamp: 2013/10/19 ...
Read more

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more