Sign in with
Sign up | Sign in
Your question

CA Issue

Last response: in Windows 2000/NT
Share
Anonymous
August 31, 2004 3:38:06 PM

Archived from groups: microsoft.public.win2000.security (More info?)

My main certificate was set to expire on September 10,
2004. I renewed the certificate with the same private
key, and it is now set to expire on Sep 1, 2006
(basically 2 years from today) This seemed to work
correctly. When I now issue a new certificate to a smart
card for VPN purposes, it gives the certificate an
expiration date of Sep 1, 2005 (A year before the base
certificate is set to expire).

I don't want to have to renew all the company's VPN keys
in a year. How can I set the expiration date to the same
as the root cert?

More about : issue

Anonymous
September 1, 2004 12:47:44 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Scott,

How To Change the Expiration Date of Certificates That Are Issued by a
Windows Server 2003 or a Windows 2000 Server Certificate Authority
http://support.microsoft.com/default.aspx?scid=kb;en-us;254632&Product=win2000

Feel free to post back if you have any questions regarding this.

Mike

"Scott25" <anonymous@discussions.microsoft.com> wrote in message
news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
> My main certificate was set to expire on September 10,
> 2004. I renewed the certificate with the same private
> key, and it is now set to expire on Sep 1, 2006
> (basically 2 years from today) This seemed to work
> correctly. When I now issue a new certificate to a smart
> card for VPN purposes, it gives the certificate an
> expiration date of Sep 1, 2005 (A year before the base
> certificate is set to expire).
>
> I don't want to have to renew all the company's VPN keys
> in a year. How can I set the expiration date to the same
> as the root cert?
Anonymous
September 1, 2004 12:47:45 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the article. I followed it and discovered
that everything in my registry was already set correctly.

My root certificate is correctly being issued with a 2
year expiration date.

My problem is that all the certificates that I issue to
my VPN keys that are based on that root certificate have
an expiration date of only 1 year. I don't understand
why these would have a different expiration date.

Any other thoughts? Thanks for all your help.

>-----Original Message-----
>Hi Scott,
>
>How To Change the Expiration Date of Certificates That
Are Issued by a
>Windows Server 2003 or a Windows 2000 Server Certificate
Authority
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;254632&Product=win2000
>
>Feel free to post back if you have any questions
regarding this.
>
>Mike
>
>"Scott25" <anonymous@discussions.microsoft.com> wrote in
message
>news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
>> My main certificate was set to expire on September 10,
>> 2004. I renewed the certificate with the same private
>> key, and it is now set to expire on Sep 1, 2006
>> (basically 2 years from today) This seemed to work
>> correctly. When I now issue a new certificate to a
smart
>> card for VPN purposes, it gives the certificate an
>> expiration date of Sep 1, 2005 (A year before the base
>> certificate is set to expire).
>>
>> I don't want to have to renew all the company's VPN
keys
>> in a year. How can I set the expiration date to the
same
>> as the root cert?
>
>
>.
>
Related resources
Anonymous
September 1, 2004 3:55:29 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Scott,

What value do you have under "ValidityPeriodUnits" Registry Key?

Mike

"Scott25" <anonymous@discussions.microsoft.com> wrote in message
news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
> Thanks for the article. I followed it and discovered
> that everything in my registry was already set correctly.
>
> My root certificate is correctly being issued with a 2
> year expiration date.
>
> My problem is that all the certificates that I issue to
> my VPN keys that are based on that root certificate have
> an expiration date of only 1 year. I don't understand
> why these would have a different expiration date.
>
> Any other thoughts? Thanks for all your help.
>
> >-----Original Message-----
> >Hi Scott,
> >
> >How To Change the Expiration Date of Certificates That
> Are Issued by a
> >Windows Server 2003 or a Windows 2000 Server Certificate
> Authority
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;254632&Product=win2000
> >
> >Feel free to post back if you have any questions
> regarding this.
> >
> >Mike
> >
> >"Scott25" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
> >> My main certificate was set to expire on September 10,
> >> 2004. I renewed the certificate with the same private
> >> key, and it is now set to expire on Sep 1, 2006
> >> (basically 2 years from today) This seemed to work
> >> correctly. When I now issue a new certificate to a
> smart
> >> card for VPN purposes, it gives the certificate an
> >> expiration date of Sep 1, 2005 (A year before the base
> >> certificate is set to expire).
> >>
> >> I don't want to have to renew all the company's VPN
> keys
> >> in a year. How can I set the expiration date to the
> same
> >> as the root cert?
> >
> >
> >.
> >
Anonymous
September 1, 2004 10:30:16 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Years.

>-----Original Message-----
>Scott,
>
>What value do you have under "ValidityPeriodUnits"
Registry Key?
>
>Mike
>
>"Scott25" <anonymous@discussions.microsoft.com> wrote in
message
>news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
>> Thanks for the article. I followed it and discovered
>> that everything in my registry was already set
correctly.
>>
>> My root certificate is correctly being issued with a 2
>> year expiration date.
>>
>> My problem is that all the certificates that I issue to
>> my VPN keys that are based on that root certificate
have
>> an expiration date of only 1 year. I don't understand
>> why these would have a different expiration date.
>>
>> Any other thoughts? Thanks for all your help.
>>
>> >-----Original Message-----
>> >Hi Scott,
>> >
>> >How To Change the Expiration Date of Certificates That
>> Are Issued by a
>> >Windows Server 2003 or a Windows 2000 Server
Certificate
>> Authority
>> >http://support.microsoft.com/default.aspx?scid=kb;en-
>> us;254632&Product=win2000
>> >
>> >Feel free to post back if you have any questions
>> regarding this.
>> >
>> >Mike
>> >
>> >"Scott25" <anonymous@discussions.microsoft.com> wrote
in
>> message
>> >news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
>> >> My main certificate was set to expire on September
10,
>> >> 2004. I renewed the certificate with the same
private
>> >> key, and it is now set to expire on Sep 1, 2006
>> >> (basically 2 years from today) This seemed to work
>> >> correctly. When I now issue a new certificate to a
>> smart
>> >> card for VPN purposes, it gives the certificate an
>> >> expiration date of Sep 1, 2005 (A year before the
base
>> >> certificate is set to expire).
>> >>
>> >> I don't want to have to renew all the company's VPN
>> keys
>> >> in a year. How can I set the expiration date to the
>> same
>> >> as the root cert?
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 1, 2004 1:38:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <3aa601c48f92$bc102b70$a601280a@phx.gbl>, in the
microsoft.public.win2000.security news group, Scott25
<anonymous@discussions.microsoft.com> says...

> Thanks for the article. I followed it and discovered
> that everything in my registry was already set correctly.
>
> My root certificate is correctly being issued with a 2
> year expiration date.
>
> My problem is that all the certificates that I issue to
> my VPN keys that are based on that root certificate have
> an expiration date of only 1 year. I don't understand
> why these would have a different expiration date.
>
> Any other thoughts? Thanks for all your help.
>

As per the article, there are 3 factors that affect how long a
certificate is valid for. Which template are you using for your
certificate? Have you looked at the properties of that template to see
its validity period? I'll bet it is set for 1 year. Also, what operating
system is your CA installed on?

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
Anonymous
September 1, 2004 1:38:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It is a Windows 2000 Server. It is the only CA in the
network. How do I check the properties of the template?

>-----Original Message-----
>In article <3aa601c48f92$bc102b70$a601280a@phx.gbl>, in
the
>microsoft.public.win2000.security news group, Scott25
><anonymous@discussions.microsoft.com> says...
>
>> Thanks for the article. I followed it and discovered
>> that everything in my registry was already set
correctly.
>>
>> My root certificate is correctly being issued with a 2
>> year expiration date.
>>
>> My problem is that all the certificates that I issue
to
>> my VPN keys that are based on that root certificate
have
>> an expiration date of only 1 year. I don't understand
>> why these would have a different expiration date.
>>
>> Any other thoughts? Thanks for all your help.
>>
>
>As per the article, there are 3 factors that affect how
long a
>certificate is valid for. Which template are you using
for your
>certificate? Have you looked at the properties of that
template to see
>its validity period? I'll bet it is set for 1 year.
Also, what operating
>system is your CA installed on?
>
>--
>Paul Adare
>This posting is provided "AS IS" with no warranties, and
confers no
>rights.
>.
>
Anonymous
September 1, 2004 7:51:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I think you are looking at wrong values:

Under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<
CAName>

Set this values like this:

REG_SZ ValidityPeriod Years
REG_DWORD ValidityPeriodUnits 2

(default value for REG_DWORD ValidityPeriodUnits is 1 )

Again check the posted article again! Also check Paul's post!

Mike

<anonymous@discussions.microsoft.com> wrote in message
news:425001c49027$d198c1b0$a301280a@phx.gbl...
> Years.
>
> >-----Original Message-----
> >Scott,
> >
> >What value do you have under "ValidityPeriodUnits"
> Registry Key?
> >
> >Mike
> >
> >"Scott25" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
> >> Thanks for the article. I followed it and discovered
> >> that everything in my registry was already set
> correctly.
> >>
> >> My root certificate is correctly being issued with a 2
> >> year expiration date.
> >>
> >> My problem is that all the certificates that I issue to
> >> my VPN keys that are based on that root certificate
> have
> >> an expiration date of only 1 year. I don't understand
> >> why these would have a different expiration date.
> >>
> >> Any other thoughts? Thanks for all your help.
> >>
> >> >-----Original Message-----
> >> >Hi Scott,
> >> >
> >> >How To Change the Expiration Date of Certificates That
> >> Are Issued by a
> >> >Windows Server 2003 or a Windows 2000 Server
> Certificate
> >> Authority
> >> >http://support.microsoft.com/default.aspx?scid=kb;en-
> >> us;254632&Product=win2000
> >> >
> >> >Feel free to post back if you have any questions
> >> regarding this.
> >> >
> >> >Mike
> >> >
> >> >"Scott25" <anonymous@discussions.microsoft.com> wrote
> in
> >> message
> >> >news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
> >> >> My main certificate was set to expire on September
> 10,
> >> >> 2004. I renewed the certificate with the same
> private
> >> >> key, and it is now set to expire on Sep 1, 2006
> >> >> (basically 2 years from today) This seemed to work
> >> >> correctly. When I now issue a new certificate to a
> >> smart
> >> >> card for VPN purposes, it gives the certificate an
> >> >> expiration date of Sep 1, 2005 (A year before the
> base
> >> >> certificate is set to expire).
> >> >>
> >> >> I don't want to have to renew all the company's VPN
> >> keys
> >> >> in a year. How can I set the expiration date to the
> >> same
> >> >> as the root cert?
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
Anonymous
September 1, 2004 7:51:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I just doublechecked to make sure I was looking at the
right values and those are the exact values I have. Under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSv
c\Configuration\"Certifcate Name"

I have
Validity Period REG_SZ Years
Validity Period Units REG_DWORD 2

Thanks for all your help, but I am still not sure what I
am doing wrong.

>-----Original Message-----
>I think you are looking at wrong values:
>
>Under
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
vc\Configuration\<
>CAName>
>
>Set this values like this:
>
>REG_SZ ValidityPeriod Years
>REG_DWORD ValidityPeriodUnits 2
>
>(default value for REG_DWORD ValidityPeriodUnits is 1 )
>
>Again check the posted article again! Also check Paul's
post!
>
>Mike
>
><anonymous@discussions.microsoft.com> wrote in message
>news:425001c49027$d198c1b0$a301280a@phx.gbl...
>> Years.
>>
>> >-----Original Message-----
>> >Scott,
>> >
>> >What value do you have under "ValidityPeriodUnits"
>> Registry Key?
>> >
>> >Mike
>> >
>> >"Scott25" <anonymous@discussions.microsoft.com> wrote
in
>> message
>> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
>> >> Thanks for the article. I followed it and discovered
>> >> that everything in my registry was already set
>> correctly.
>> >>
>> >> My root certificate is correctly being issued with a
2
>> >> year expiration date.
>> >>
>> >> My problem is that all the certificates that I issue
to
>> >> my VPN keys that are based on that root certificate
>> have
>> >> an expiration date of only 1 year. I don't
understand
>> >> why these would have a different expiration date.
>> >>
>> >> Any other thoughts? Thanks for all your help.
>> >>
>> >> >-----Original Message-----
>> >> >Hi Scott,
>> >> >
>> >> >How To Change the Expiration Date of Certificates
That
>> >> Are Issued by a
>> >> >Windows Server 2003 or a Windows 2000 Server
>> Certificate
>> >> Authority
>> >> >http://support.microsoft.com/default.aspx?
scid=kb;en-
>> >> us;254632&Product=win2000
>> >> >
>> >> >Feel free to post back if you have any questions
>> >> regarding this.
>> >> >
>> >> >Mike
>> >> >
>> >> >"Scott25" <anonymous@discussions.microsoft.com>
wrote
>> in
>> >> message
>> >> >news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
>> >> >> My main certificate was set to expire on September
>> 10,
>> >> >> 2004. I renewed the certificate with the same
>> private
>> >> >> key, and it is now set to expire on Sep 1, 2006
>> >> >> (basically 2 years from today) This seemed to
work
>> >> >> correctly. When I now issue a new certificate to
a
>> >> smart
>> >> >> card for VPN purposes, it gives the certificate an
>> >> >> expiration date of Sep 1, 2005 (A year before the
>> base
>> >> >> certificate is set to expire).
>> >> >>
>> >> >> I don't want to have to renew all the company's
VPN
>> >> keys
>> >> >> in a year. How can I set the expiration date to
the
>> >> same
>> >> >> as the root cert?
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 1, 2004 8:14:35 PM

Archived from groups: microsoft.public.win2000.security (More info?)

How do you have this CA setup? Is this an Enterprise Root CA or Standalone
Root CA?

Mike

<anonymous@discussions.microsoft.com> wrote in message
news:097801c4902d$b98389b0$a401280a@phx.gbl...
> I just doublechecked to make sure I was looking at the
> right values and those are the exact values I have. Under
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSv
> c\Configuration\"Certifcate Name"
>
> I have
> Validity Period REG_SZ Years
> Validity Period Units REG_DWORD 2
>
> Thanks for all your help, but I am still not sure what I
> am doing wrong.
>
> >-----Original Message-----
> >I think you are looking at wrong values:
> >
> >Under
> >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
> vc\Configuration\<
> >CAName>
> >
> >Set this values like this:
> >
> >REG_SZ ValidityPeriod Years
> >REG_DWORD ValidityPeriodUnits 2
> >
> >(default value for REG_DWORD ValidityPeriodUnits is 1 )
> >
> >Again check the posted article again! Also check Paul's
> post!
> >
> >Mike
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
> >> Years.
> >>
> >> >-----Original Message-----
> >> >Scott,
> >> >
> >> >What value do you have under "ValidityPeriodUnits"
> >> Registry Key?
> >> >
> >> >Mike
> >> >
> >> >"Scott25" <anonymous@discussions.microsoft.com> wrote
> in
> >> message
> >> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
> >> >> Thanks for the article. I followed it and discovered
> >> >> that everything in my registry was already set
> >> correctly.
> >> >>
> >> >> My root certificate is correctly being issued with a
> 2
> >> >> year expiration date.
> >> >>
> >> >> My problem is that all the certificates that I issue
> to
> >> >> my VPN keys that are based on that root certificate
> >> have
> >> >> an expiration date of only 1 year. I don't
> understand
> >> >> why these would have a different expiration date.
> >> >>
> >> >> Any other thoughts? Thanks for all your help.
> >> >>
> >> >> >-----Original Message-----
> >> >> >Hi Scott,
> >> >> >
> >> >> >How To Change the Expiration Date of Certificates
> That
> >> >> Are Issued by a
> >> >> >Windows Server 2003 or a Windows 2000 Server
> >> Certificate
> >> >> Authority
> >> >> >http://support.microsoft.com/default.aspx?
> scid=kb;en-
> >> >> us;254632&Product=win2000
> >> >> >
> >> >> >Feel free to post back if you have any questions
> >> >> regarding this.
> >> >> >
> >> >> >Mike
> >> >> >
> >> >> >"Scott25" <anonymous@discussions.microsoft.com>
> wrote
> >> in
> >> >> message
> >> >> >news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
> >> >> >> My main certificate was set to expire on September
> >> 10,
> >> >> >> 2004. I renewed the certificate with the same
> >> private
> >> >> >> key, and it is now set to expire on Sep 1, 2006
> >> >> >> (basically 2 years from today) This seemed to
> work
> >> >> >> correctly. When I now issue a new certificate to
> a
> >> >> smart
> >> >> >> card for VPN purposes, it gives the certificate an
> >> >> >> expiration date of Sep 1, 2005 (A year before the
> >> base
> >> >> >> certificate is set to expire).
> >> >> >>
> >> >> >> I don't want to have to renew all the company's
> VPN
> >> >> keys
> >> >> >> in a year. How can I set the expiration date to
> the
> >> >> same
> >> >> >> as the root cert?
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
Anonymous
September 1, 2004 8:14:36 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It says Enterprise Root CA. It is the only CA on our
network.

>-----Original Message-----
>How do you have this CA setup? Is this an Enterprise Root
CA or Standalone
>Root CA?
>
>Mike
>
><anonymous@discussions.microsoft.com> wrote in message
>news:097801c4902d$b98389b0$a401280a@phx.gbl...
>> I just doublechecked to make sure I was looking at the
>> right values and those are the exact values I have.
Under
>>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSv
>> c\Configuration\"Certifcate Name"
>>
>> I have
>> Validity Period REG_SZ Years
>> Validity Period Units REG_DWORD 2
>>
>> Thanks for all your help, but I am still not sure what I
>> am doing wrong.
>>
>> >-----Original Message-----
>> >I think you are looking at wrong values:
>> >
>> >Under
>>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
>> vc\Configuration\<
>> >CAName>
>> >
>> >Set this values like this:
>> >
>> >REG_SZ ValidityPeriod Years
>> >REG_DWORD ValidityPeriodUnits 2
>> >
>> >(default value for REG_DWORD ValidityPeriodUnits is 1 )
>> >
>> >Again check the posted article again! Also check Paul's
>> post!
>> >
>> >Mike
>> >
>> ><anonymous@discussions.microsoft.com> wrote in message
>> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
>> >> Years.
>> >>
>> >> >-----Original Message-----
>> >> >Scott,
>> >> >
>> >> >What value do you have under "ValidityPeriodUnits"
>> >> Registry Key?
>> >> >
>> >> >Mike
>> >> >
>> >> >"Scott25" <anonymous@discussions.microsoft.com>
wrote
>> in
>> >> message
>> >> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
>> >> >> Thanks for the article. I followed it and
discovered
>> >> >> that everything in my registry was already set
>> >> correctly.
>> >> >>
>> >> >> My root certificate is correctly being issued
with a
>> 2
>> >> >> year expiration date.
>> >> >>
>> >> >> My problem is that all the certificates that I
issue
>> to
>> >> >> my VPN keys that are based on that root
certificate
>> >> have
>> >> >> an expiration date of only 1 year. I don't
>> understand
>> >> >> why these would have a different expiration date.
>> >> >>
>> >> >> Any other thoughts? Thanks for all your help.
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >Hi Scott,
>> >> >> >
>> >> >> >How To Change the Expiration Date of Certificates
>> That
>> >> >> Are Issued by a
>> >> >> >Windows Server 2003 or a Windows 2000 Server
>> >> Certificate
>> >> >> Authority
>> >> >> >http://support.microsoft.com/default.aspx?
>> scid=kb;en-
>> >> >> us;254632&Product=win2000
>> >> >> >
>> >> >> >Feel free to post back if you have any questions
>> >> >> regarding this.
>> >> >> >
>> >> >> >Mike
>> >> >> >
>> >> >> >"Scott25" <anonymous@discussions.microsoft.com>
>> wrote
>> >> in
>> >> >> message
>> >> >> >news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
>> >> >> >> My main certificate was set to expire on
September
>> >> 10,
>> >> >> >> 2004. I renewed the certificate with the same
>> >> private
>> >> >> >> key, and it is now set to expire on Sep 1, 2006
>> >> >> >> (basically 2 years from today) This seemed to
>> work
>> >> >> >> correctly. When I now issue a new certificate
to
>> a
>> >> >> smart
>> >> >> >> card for VPN purposes, it gives the
certificate an
>> >> >> >> expiration date of Sep 1, 2005 (A year before
the
>> >> base
>> >> >> >> certificate is set to expire).
>> >> >> >>
>> >> >> >> I don't want to have to renew all the company's
>> VPN
>> >> >> keys
>> >> >> >> in a year. How can I set the expiration date
to
>> the
>> >> >> same
>> >> >> >> as the root cert?
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 1, 2004 10:00:19 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It looks as Paul suggested that this 1 year limit is set in certificate
template. This is not a problem if you have standalone CA setup.

Unfortunately on Windows 2000 you can't edit (customize) templates. You can
create customized templates on Windows 2003.

Mike

<anonymous@discussions.microsoft.com> wrote in message
news:434b01c49030$f348c900$a301280a@phx.gbl...
> It says Enterprise Root CA. It is the only CA on our
> network.
>
> >-----Original Message-----
> >How do you have this CA setup? Is this an Enterprise Root
> CA or Standalone
> >Root CA?
> >
> >Mike
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
> >> I just doublechecked to make sure I was looking at the
> >> right values and those are the exact values I have.
> Under
> >>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSv
> >> c\Configuration\"Certifcate Name"
> >>
> >> I have
> >> Validity Period REG_SZ Years
> >> Validity Period Units REG_DWORD 2
> >>
> >> Thanks for all your help, but I am still not sure what I
> >> am doing wrong.
> >>
> >> >-----Original Message-----
> >> >I think you are looking at wrong values:
> >> >
> >> >Under
> >>
> >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
> >> vc\Configuration\<
> >> >CAName>
> >> >
> >> >Set this values like this:
> >> >
> >> >REG_SZ ValidityPeriod Years
> >> >REG_DWORD ValidityPeriodUnits 2
> >> >
> >> >(default value for REG_DWORD ValidityPeriodUnits is 1 )
> >> >
> >> >Again check the posted article again! Also check Paul's
> >> post!
> >> >
> >> >Mike
> >> >
> >> ><anonymous@discussions.microsoft.com> wrote in message
> >> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
> >> >> Years.
> >> >>
> >> >> >-----Original Message-----
> >> >> >Scott,
> >> >> >
> >> >> >What value do you have under "ValidityPeriodUnits"
> >> >> Registry Key?
> >> >> >
> >> >> >Mike
> >> >> >
> >> >> >"Scott25" <anonymous@discussions.microsoft.com>
> wrote
> >> in
> >> >> message
> >> >> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
> >> >> >> Thanks for the article. I followed it and
> discovered
> >> >> >> that everything in my registry was already set
> >> >> correctly.
> >> >> >>
> >> >> >> My root certificate is correctly being issued
> with a
> >> 2
> >> >> >> year expiration date.
> >> >> >>
> >> >> >> My problem is that all the certificates that I
> issue
> >> to
> >> >> >> my VPN keys that are based on that root
> certificate
> >> >> have
> >> >> >> an expiration date of only 1 year. I don't
> >> understand
> >> >> >> why these would have a different expiration date.
> >> >> >>
> >> >> >> Any other thoughts? Thanks for all your help.
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >Hi Scott,
> >> >> >> >
> >> >> >> >How To Change the Expiration Date of Certificates
> >> That
> >> >> >> Are Issued by a
> >> >> >> >Windows Server 2003 or a Windows 2000 Server
> >> >> Certificate
> >> >> >> Authority
> >> >> >> >http://support.microsoft.com/default.aspx?
> >> scid=kb;en-
> >> >> >> us;254632&Product=win2000
> >> >> >> >
> >> >> >> >Feel free to post back if you have any questions
> >> >> >> regarding this.
> >> >> >> >
> >> >> >> >Mike
> >> >> >> >
> >> >> >> >"Scott25" <anonymous@discussions.microsoft.com>
> >> wrote
> >> >> in
> >> >> >> message
> >> >> >> >news:01bf01c48f89$a7d80460$a401280a@phx.gbl...
> >> >> >> >> My main certificate was set to expire on
> September
> >> >> 10,
> >> >> >> >> 2004. I renewed the certificate with the same
> >> >> private
> >> >> >> >> key, and it is now set to expire on Sep 1, 2006
> >> >> >> >> (basically 2 years from today) This seemed to
> >> work
> >> >> >> >> correctly. When I now issue a new certificate
> to
> >> a
> >> >> >> smart
> >> >> >> >> card for VPN purposes, it gives the
> certificate an
> >> >> >> >> expiration date of Sep 1, 2005 (A year before
> the
> >> >> base
> >> >> >> >> certificate is set to expire).
> >> >> >> >>
> >> >> >> >> I don't want to have to renew all the company's
> >> VPN
> >> >> >> keys
> >> >> >> >> in a year. How can I set the expiration date
> to
> >> the
> >> >> >> same
> >> >> >> >> as the root cert?
> >> >> >> >
> >> >> >> >
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
Anonymous
September 1, 2004 10:00:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Ok, I may not be able to get around it then. However, I
know 2 years ago when they set this up, they issued VPN
certificates that had a 2 year expiration period.
Everyone who set this up is gone though, and we are not
sure how they did this. Thanks for all your help though.

>-----Original Message-----
>It looks as Paul suggested that this 1 year limit is set
in certificate
>template. This is not a problem if you have standalone
CA setup.
>
>Unfortunately on Windows 2000 you can't edit (customize)
templates. You can
>create customized templates on Windows 2003.
>
>Mike
>
><anonymous@discussions.microsoft.com> wrote in message
>news:434b01c49030$f348c900$a301280a@phx.gbl...
>> It says Enterprise Root CA. It is the only CA on our
>> network.
>>
>> >-----Original Message-----
>> >How do you have this CA setup? Is this an Enterprise
Root
>> CA or Standalone
>> >Root CA?
>> >
>> >Mike
>> >
>> ><anonymous@discussions.microsoft.com> wrote in message
>> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
>> >> I just doublechecked to make sure I was looking at
the
>> >> right values and those are the exact values I have.
>> Under
>> >>
>>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
v
>> >> c\Configuration\"Certifcate Name"
>> >>
>> >> I have
>> >> Validity Period REG_SZ Years
>> >> Validity Period Units REG_DWORD 2
>> >>
>> >> Thanks for all your help, but I am still not sure
what I
>> >> am doing wrong.
>> >>
>> >> >-----Original Message-----
>> >> >I think you are looking at wrong values:
>> >> >
>> >> >Under
>> >>
>>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
S
>> >> vc\Configuration\<
>> >> >CAName>
>> >> >
>> >> >Set this values like this:
>> >> >
>> >> >REG_SZ ValidityPeriod Years
>> >> >REG_DWORD ValidityPeriodUnits 2
>> >> >
>> >> >(default value for REG_DWORD ValidityPeriodUnits
is 1 )
>> >> >
>> >> >Again check the posted article again! Also check
Paul's
>> >> post!
>> >> >
>> >> >Mike
>> >> >
>> >> ><anonymous@discussions.microsoft.com> wrote in
message
>> >> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
>> >> >> Years.
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >Scott,
>> >> >> >
>> >> >> >What value do you have
under "ValidityPeriodUnits"
>> >> >> Registry Key?
>> >> >> >
>> >> >> >Mike
>> >> >> >
>> >> >> >"Scott25" <anonymous@discussions.microsoft.com>
>> wrote
>> >> in
>> >> >> message
>> >> >> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
>> >> >> >> Thanks for the article. I followed it and
>> discovered
>> >> >> >> that everything in my registry was already set
>> >> >> correctly.
>> >> >> >>
>> >> >> >> My root certificate is correctly being issued
>> with a
>> >> 2
>> >> >> >> year expiration date.
>> >> >> >>
>> >> >> >> My problem is that all the certificates that I
>> issue
>> >> to
>> >> >> >> my VPN keys that are based on that root
>> certificate
>> >> >> have
>> >> >> >> an expiration date of only 1 year. I don't
>> >> understand
>> >> >> >> why these would have a different expiration
date.
>> >> >> >>
>> >> >> >> Any other thoughts? Thanks for all your help.
>> >> >> >>
>> >> >> >> >-----Original Message-----
>> >> >> >> >Hi Scott,
>> >> >> >> >
>> >> >> >> >How To Change the Expiration Date of
Certificates
>> >> That
>> >> >> >> Are Issued by a
>> >> >> >> >Windows Server 2003 or a Windows 2000 Server
>> >> >> Certificate
>> >> >> >> Authority
>> >> >> >> >http://support.microsoft.com/default.aspx?
>> >> scid=kb;en-
>> >> >> >> us;254632&Product=win2000
>> >> >> >> >
>> >> >> >> >Feel free to post back if you have any
questions
>> >> >> >> regarding this.
>> >> >> >> >
>> >> >> >> >Mike
>> >> >> >> >
>> >> >> >> >"Scott25"
<anonymous@discussions.microsoft.com>
>> >> wrote
>> >> >> in
>> >> >> >> message
>> >> >> >> >news:01bf01c48f89$a7d80460
$a401280a@phx.gbl...
>> >> >> >> >> My main certificate was set to expire on
>> September
>> >> >> 10,
>> >> >> >> >> 2004. I renewed the certificate with the
same
>> >> >> private
>> >> >> >> >> key, and it is now set to expire on Sep 1,
2006
>> >> >> >> >> (basically 2 years from today) This
seemed to
>> >> work
>> >> >> >> >> correctly. When I now issue a new
certificate
>> to
>> >> a
>> >> >> >> smart
>> >> >> >> >> card for VPN purposes, it gives the
>> certificate an
>> >> >> >> >> expiration date of Sep 1, 2005 (A year
before
>> the
>> >> >> base
>> >> >> >> >> certificate is set to expire).
>> >> >> >> >>
>> >> >> >> >> I don't want to have to renew all the
company's
>> >> VPN
>> >> >> >> keys
>> >> >> >> >> in a year. How can I set the expiration
date
>> to
>> >> the
>> >> >> >> same
>> >> >> >> >> as the root cert?
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >.
>> >> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 1, 2004 10:14:17 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Which template do you use to issue certificate?

Mike

"Scott25" <anonymous@discussions.microsoft.com> wrote in message
news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
> Ok, I may not be able to get around it then. However, I
> know 2 years ago when they set this up, they issued VPN
> certificates that had a 2 year expiration period.
> Everyone who set this up is gone though, and we are not
> sure how they did this. Thanks for all your help though.
>
> >-----Original Message-----
> >It looks as Paul suggested that this 1 year limit is set
> in certificate
> >template. This is not a problem if you have standalone
> CA setup.
> >
> >Unfortunately on Windows 2000 you can't edit (customize)
> templates. You can
> >create customized templates on Windows 2003.
> >
> >Mike
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:434b01c49030$f348c900$a301280a@phx.gbl...
> >> It says Enterprise Root CA. It is the only CA on our
> >> network.
> >>
> >> >-----Original Message-----
> >> >How do you have this CA setup? Is this an Enterprise
> Root
> >> CA or Standalone
> >> >Root CA?
> >> >
> >> >Mike
> >> >
> >> ><anonymous@discussions.microsoft.com> wrote in message
> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
> >> >> I just doublechecked to make sure I was looking at
> the
> >> >> right values and those are the exact values I have.
> >> Under
> >> >>
> >>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
> v
> >> >> c\Configuration\"Certifcate Name"
> >> >>
> >> >> I have
> >> >> Validity Period REG_SZ Years
> >> >> Validity Period Units REG_DWORD 2
> >> >>
> >> >> Thanks for all your help, but I am still not sure
> what I
> >> >> am doing wrong.
> >> >>
> >> >> >-----Original Message-----
> >> >> >I think you are looking at wrong values:
> >> >> >
> >> >> >Under
> >> >>
> >>
> >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
> S
> >> >> vc\Configuration\<
> >> >> >CAName>
> >> >> >
> >> >> >Set this values like this:
> >> >> >
> >> >> >REG_SZ ValidityPeriod Years
> >> >> >REG_DWORD ValidityPeriodUnits 2
> >> >> >
> >> >> >(default value for REG_DWORD ValidityPeriodUnits
> is 1 )
> >> >> >
> >> >> >Again check the posted article again! Also check
> Paul's
> >> >> post!
> >> >> >
> >> >> >Mike
> >> >> >
> >> >> ><anonymous@discussions.microsoft.com> wrote in
> message
> >> >> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
> >> >> >> Years.
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >Scott,
> >> >> >> >
> >> >> >> >What value do you have
> under "ValidityPeriodUnits"
> >> >> >> Registry Key?
> >> >> >> >
> >> >> >> >Mike
> >> >> >> >
> >> >> >> >"Scott25" <anonymous@discussions.microsoft.com>
> >> wrote
> >> >> in
> >> >> >> message
> >> >> >> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
> >> >> >> >> Thanks for the article. I followed it and
> >> discovered
> >> >> >> >> that everything in my registry was already set
> >> >> >> correctly.
> >> >> >> >>
> >> >> >> >> My root certificate is correctly being issued
> >> with a
> >> >> 2
> >> >> >> >> year expiration date.
> >> >> >> >>
> >> >> >> >> My problem is that all the certificates that I
> >> issue
> >> >> to
> >> >> >> >> my VPN keys that are based on that root
> >> certificate
> >> >> >> have
> >> >> >> >> an expiration date of only 1 year. I don't
> >> >> understand
> >> >> >> >> why these would have a different expiration
> date.
> >> >> >> >>
> >> >> >> >> Any other thoughts? Thanks for all your help.
> >> >> >> >>
> >> >> >> >> >-----Original Message-----
> >> >> >> >> >Hi Scott,
> >> >> >> >> >
> >> >> >> >> >How To Change the Expiration Date of
> Certificates
> >> >> That
> >> >> >> >> Are Issued by a
> >> >> >> >> >Windows Server 2003 or a Windows 2000 Server
> >> >> >> Certificate
> >> >> >> >> Authority
> >> >> >> >> >http://support.microsoft.com/default.aspx?
> >> >> scid=kb;en-
> >> >> >> >> us;254632&Product=win2000
> >> >> >> >> >
> >> >> >> >> >Feel free to post back if you have any
> questions
> >> >> >> >> regarding this.
> >> >> >> >> >
> >> >> >> >> >Mike
> >> >> >> >> >
> >> >> >> >> >"Scott25"
> <anonymous@discussions.microsoft.com>
> >> >> wrote
> >> >> >> in
> >> >> >> >> message
> >> >> >> >> >news:01bf01c48f89$a7d80460
> $a401280a@phx.gbl...
> >> >> >> >> >> My main certificate was set to expire on
> >> September
> >> >> >> 10,
> >> >> >> >> >> 2004. I renewed the certificate with the
> same
> >> >> >> private
> >> >> >> >> >> key, and it is now set to expire on Sep 1,
> 2006
> >> >> >> >> >> (basically 2 years from today) This
> seemed to
> >> >> work
> >> >> >> >> >> correctly. When I now issue a new
> certificate
> >> to
> >> >> a
> >> >> >> >> smart
> >> >> >> >> >> card for VPN purposes, it gives the
> >> certificate an
> >> >> >> >> >> expiration date of Sep 1, 2005 (A year
> before
> >> the
> >> >> >> base
> >> >> >> >> >> certificate is set to expire).
> >> >> >> >> >>
> >> >> >> >> >> I don't want to have to renew all the
> company's
> >> >> VPN
> >> >> >> >> keys
> >> >> >> >> >> in a year. How can I set the expiration
> date
> >> to
> >> >> the
> >> >> >> >> same
> >> >> >> >> >> as the root cert?
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >.
> >> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
Anonymous
September 1, 2004 10:14:18 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Not quite sure what you mean when you refer
to "Template." I am issuing certificates by going through
a web interface for microsoft certification services. All
of the issued certificates show up under Certification
Authority, Under the Company Name, and then Issued
Certificates.

>-----Original Message-----
>Which template do you use to issue certificate?
>
>Mike
>
>"Scott25" <anonymous@discussions.microsoft.com> wrote in
message
>news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
>> Ok, I may not be able to get around it then. However, I
>> know 2 years ago when they set this up, they issued VPN
>> certificates that had a 2 year expiration period.
>> Everyone who set this up is gone though, and we are not
>> sure how they did this. Thanks for all your help
though.
>>
>> >-----Original Message-----
>> >It looks as Paul suggested that this 1 year limit is
set
>> in certificate
>> >template. This is not a problem if you have standalone
>> CA setup.
>> >
>> >Unfortunately on Windows 2000 you can't edit
(customize)
>> templates. You can
>> >create customized templates on Windows 2003.
>> >
>> >Mike
>> >
>> ><anonymous@discussions.microsoft.com> wrote in message
>> >news:434b01c49030$f348c900$a301280a@phx.gbl...
>> >> It says Enterprise Root CA. It is the only CA on our
>> >> network.
>> >>
>> >> >-----Original Message-----
>> >> >How do you have this CA setup? Is this an Enterprise
>> Root
>> >> CA or Standalone
>> >> >Root CA?
>> >> >
>> >> >Mike
>> >> >
>> >> ><anonymous@discussions.microsoft.com> wrote in
message
>> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
>> >> >> I just doublechecked to make sure I was looking at
>> the
>> >> >> right values and those are the exact values I
have.
>> >> Under
>> >> >>
>> >>
>>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
>> v
>> >> >> c\Configuration\"Certifcate Name"
>> >> >>
>> >> >> I have
>> >> >> Validity Period REG_SZ Years
>> >> >> Validity Period Units REG_DWORD 2
>> >> >>
>> >> >> Thanks for all your help, but I am still not sure
>> what I
>> >> >> am doing wrong.
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >I think you are looking at wrong values:
>> >> >> >
>> >> >> >Under
>> >> >>
>> >>
>>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
>> S
>> >> >> vc\Configuration\<
>> >> >> >CAName>
>> >> >> >
>> >> >> >Set this values like this:
>> >> >> >
>> >> >> >REG_SZ ValidityPeriod Years
>> >> >> >REG_DWORD ValidityPeriodUnits 2
>> >> >> >
>> >> >> >(default value for REG_DWORD ValidityPeriodUnits
>> is 1 )
>> >> >> >
>> >> >> >Again check the posted article again! Also check
>> Paul's
>> >> >> post!
>> >> >> >
>> >> >> >Mike
>> >> >> >
>> >> >> ><anonymous@discussions.microsoft.com> wrote in
>> message
>> >> >> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
>> >> >> >> Years.
>> >> >> >>
>> >> >> >> >-----Original Message-----
>> >> >> >> >Scott,
>> >> >> >> >
>> >> >> >> >What value do you have
>> under "ValidityPeriodUnits"
>> >> >> >> Registry Key?
>> >> >> >> >
>> >> >> >> >Mike
>> >> >> >> >
>> >> >> >> >"Scott25"
<anonymous@discussions.microsoft.com>
>> >> wrote
>> >> >> in
>> >> >> >> message
>> >> >> >> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
>> >> >> >> >> Thanks for the article. I followed it and
>> >> discovered
>> >> >> >> >> that everything in my registry was already
set
>> >> >> >> correctly.
>> >> >> >> >>
>> >> >> >> >> My root certificate is correctly being
issued
>> >> with a
>> >> >> 2
>> >> >> >> >> year expiration date.
>> >> >> >> >>
>> >> >> >> >> My problem is that all the certificates
that I
>> >> issue
>> >> >> to
>> >> >> >> >> my VPN keys that are based on that root
>> >> certificate
>> >> >> >> have
>> >> >> >> >> an expiration date of only 1 year. I don't
>> >> >> understand
>> >> >> >> >> why these would have a different expiration
>> date.
>> >> >> >> >>
>> >> >> >> >> Any other thoughts? Thanks for all your
help.
>> >> >> >> >>
>> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >Hi Scott,
>> >> >> >> >> >
>> >> >> >> >> >How To Change the Expiration Date of
>> Certificates
>> >> >> That
>> >> >> >> >> Are Issued by a
>> >> >> >> >> >Windows Server 2003 or a Windows 2000
Server
>> >> >> >> Certificate
>> >> >> >> >> Authority
>> >> >> >> >> >http://support.microsoft.com/default.aspx?
>> >> >> scid=kb;en-
>> >> >> >> >> us;254632&Product=win2000
>> >> >> >> >> >
>> >> >> >> >> >Feel free to post back if you have any
>> questions
>> >> >> >> >> regarding this.
>> >> >> >> >> >
>> >> >> >> >> >Mike
>> >> >> >> >> >
>> >> >> >> >> >"Scott25"
>> <anonymous@discussions.microsoft.com>
>> >> >> wrote
>> >> >> >> in
>> >> >> >> >> message
>> >> >> >> >> >news:01bf01c48f89$a7d80460
>> $a401280a@phx.gbl...
>> >> >> >> >> >> My main certificate was set to expire on
>> >> September
>> >> >> >> 10,
>> >> >> >> >> >> 2004. I renewed the certificate with the
>> same
>> >> >> >> private
>> >> >> >> >> >> key, and it is now set to expire on Sep
1,
>> 2006
>> >> >> >> >> >> (basically 2 years from today) This
>> seemed to
>> >> >> work
>> >> >> >> >> >> correctly. When I now issue a new
>> certificate
>> >> to
>> >> >> a
>> >> >> >> >> smart
>> >> >> >> >> >> card for VPN purposes, it gives the
>> >> certificate an
>> >> >> >> >> >> expiration date of Sep 1, 2005 (A year
>> before
>> >> the
>> >> >> >> base
>> >> >> >> >> >> certificate is set to expire).
>> >> >> >> >> >>
>> >> >> >> >> >> I don't want to have to renew all the
>> company's
>> >> >> VPN
>> >> >> >> >> keys
>> >> >> >> >> >> in a year. How can I set the expiration
>> date
>> >> to
>> >> >> the
>> >> >> >> >> same
>> >> >> >> >> >> as the root cert?
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >.
>> >> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >.
>> >> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 1, 2004 10:14:18 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Just found it, it is the CA template. Is that what you
are looking for?

>-----Original Message-----
>Which template do you use to issue certificate?
>
>Mike
>
>"Scott25" <anonymous@discussions.microsoft.com> wrote in
message
>news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
>> Ok, I may not be able to get around it then. However,
I
>> know 2 years ago when they set this up, they issued VPN
>> certificates that had a 2 year expiration period.
>> Everyone who set this up is gone though, and we are not
>> sure how they did this. Thanks for all your help
though.
>>
>> >-----Original Message-----
>> >It looks as Paul suggested that this 1 year limit is
set
>> in certificate
>> >template. This is not a problem if you have standalone
>> CA setup.
>> >
>> >Unfortunately on Windows 2000 you can't edit
(customize)
>> templates. You can
>> >create customized templates on Windows 2003.
>> >
>> >Mike
>> >
>> ><anonymous@discussions.microsoft.com> wrote in message
>> >news:434b01c49030$f348c900$a301280a@phx.gbl...
>> >> It says Enterprise Root CA. It is the only CA on
our
>> >> network.
>> >>
>> >> >-----Original Message-----
>> >> >How do you have this CA setup? Is this an
Enterprise
>> Root
>> >> CA or Standalone
>> >> >Root CA?
>> >> >
>> >> >Mike
>> >> >
>> >> ><anonymous@discussions.microsoft.com> wrote in
message
>> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
>> >> >> I just doublechecked to make sure I was looking
at
>> the
>> >> >> right values and those are the exact values I
have.
>> >> Under
>> >> >>
>> >>
>>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
>> v
>> >> >> c\Configuration\"Certifcate Name"
>> >> >>
>> >> >> I have
>> >> >> Validity Period REG_SZ Years
>> >> >> Validity Period Units REG_DWORD 2
>> >> >>
>> >> >> Thanks for all your help, but I am still not sure
>> what I
>> >> >> am doing wrong.
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >I think you are looking at wrong values:
>> >> >> >
>> >> >> >Under
>> >> >>
>> >>
>>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
>> S
>> >> >> vc\Configuration\<
>> >> >> >CAName>
>> >> >> >
>> >> >> >Set this values like this:
>> >> >> >
>> >> >> >REG_SZ ValidityPeriod Years
>> >> >> >REG_DWORD ValidityPeriodUnits 2
>> >> >> >
>> >> >> >(default value for REG_DWORD ValidityPeriodUnits
>> is 1 )
>> >> >> >
>> >> >> >Again check the posted article again! Also check
>> Paul's
>> >> >> post!
>> >> >> >
>> >> >> >Mike
>> >> >> >
>> >> >> ><anonymous@discussions.microsoft.com> wrote in
>> message
>> >> >> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
>> >> >> >> Years.
>> >> >> >>
>> >> >> >> >-----Original Message-----
>> >> >> >> >Scott,
>> >> >> >> >
>> >> >> >> >What value do you have
>> under "ValidityPeriodUnits"
>> >> >> >> Registry Key?
>> >> >> >> >
>> >> >> >> >Mike
>> >> >> >> >
>> >> >> >> >"Scott25"
<anonymous@discussions.microsoft.com>
>> >> wrote
>> >> >> in
>> >> >> >> message
>> >> >> >> >news:3aa601c48f92$bc102b70
$a601280a@phx.gbl...
>> >> >> >> >> Thanks for the article. I followed it and
>> >> discovered
>> >> >> >> >> that everything in my registry was already
set
>> >> >> >> correctly.
>> >> >> >> >>
>> >> >> >> >> My root certificate is correctly being
issued
>> >> with a
>> >> >> 2
>> >> >> >> >> year expiration date.
>> >> >> >> >>
>> >> >> >> >> My problem is that all the certificates
that I
>> >> issue
>> >> >> to
>> >> >> >> >> my VPN keys that are based on that root
>> >> certificate
>> >> >> >> have
>> >> >> >> >> an expiration date of only 1 year. I don't
>> >> >> understand
>> >> >> >> >> why these would have a different expiration
>> date.
>> >> >> >> >>
>> >> >> >> >> Any other thoughts? Thanks for all your
help.
>> >> >> >> >>
>> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >Hi Scott,
>> >> >> >> >> >
>> >> >> >> >> >How To Change the Expiration Date of
>> Certificates
>> >> >> That
>> >> >> >> >> Are Issued by a
>> >> >> >> >> >Windows Server 2003 or a Windows 2000
Server
>> >> >> >> Certificate
>> >> >> >> >> Authority
>> >> >> >> >> >http://support.microsoft.com/default.aspx?
>> >> >> scid=kb;en-
>> >> >> >> >> us;254632&Product=win2000
>> >> >> >> >> >
>> >> >> >> >> >Feel free to post back if you have any
>> questions
>> >> >> >> >> regarding this.
>> >> >> >> >> >
>> >> >> >> >> >Mike
>> >> >> >> >> >
>> >> >> >> >> >"Scott25"
>> <anonymous@discussions.microsoft.com>
>> >> >> wrote
>> >> >> >> in
>> >> >> >> >> message
>> >> >> >> >> >news:01bf01c48f89$a7d80460
>> $a401280a@phx.gbl...
>> >> >> >> >> >> My main certificate was set to expire on
>> >> September
>> >> >> >> 10,
>> >> >> >> >> >> 2004. I renewed the certificate with
the
>> same
>> >> >> >> private
>> >> >> >> >> >> key, and it is now set to expire on Sep
1,
>> 2006
>> >> >> >> >> >> (basically 2 years from today) This
>> seemed to
>> >> >> work
>> >> >> >> >> >> correctly. When I now issue a new
>> certificate
>> >> to
>> >> >> a
>> >> >> >> >> smart
>> >> >> >> >> >> card for VPN purposes, it gives the
>> >> certificate an
>> >> >> >> >> >> expiration date of Sep 1, 2005 (A year
>> before
>> >> the
>> >> >> >> base
>> >> >> >> >> >> certificate is set to expire).
>> >> >> >> >> >>
>> >> >> >> >> >> I don't want to have to renew all the
>> company's
>> >> >> VPN
>> >> >> >> >> keys
>> >> >> >> >> >> in a year. How can I set the expiration
>> date
>> >> to
>> >> >> the
>> >> >> >> >> same
>> >> >> >> >> >> as the root cert?
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >.
>> >> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >.
>> >> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 1, 2004 11:16:38 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In the web interface you can select between different Certificate Templates
(e.g. Users, Administrator, SmartCard User, IPSec, ...). Which one do you
select when issuing your certificates?

http://freeweb.siol.net/mpihler/templates.jpg

Mike

"Scott25" <anonymous@discussions.microsoft.com> wrote in message
news:00a901c49045$2cda6570$a401280a@phx.gbl...
> Not quite sure what you mean when you refer
> to "Template." I am issuing certificates by going through
> a web interface for microsoft certification services. All
> of the issued certificates show up under Certification
> Authority, Under the Company Name, and then Issued
> Certificates.
>
> >-----Original Message-----
> >Which template do you use to issue certificate?
> >
> >Mike
> >
> >"Scott25" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
> >> Ok, I may not be able to get around it then. However, I
> >> know 2 years ago when they set this up, they issued VPN
> >> certificates that had a 2 year expiration period.
> >> Everyone who set this up is gone though, and we are not
> >> sure how they did this. Thanks for all your help
> though.
> >>
> >> >-----Original Message-----
> >> >It looks as Paul suggested that this 1 year limit is
> set
> >> in certificate
> >> >template. This is not a problem if you have standalone
> >> CA setup.
> >> >
> >> >Unfortunately on Windows 2000 you can't edit
> (customize)
> >> templates. You can
> >> >create customized templates on Windows 2003.
> >> >
> >> >Mike
> >> >
> >> ><anonymous@discussions.microsoft.com> wrote in message
> >> >news:434b01c49030$f348c900$a301280a@phx.gbl...
> >> >> It says Enterprise Root CA. It is the only CA on our
> >> >> network.
> >> >>
> >> >> >-----Original Message-----
> >> >> >How do you have this CA setup? Is this an Enterprise
> >> Root
> >> >> CA or Standalone
> >> >> >Root CA?
> >> >> >
> >> >> >Mike
> >> >> >
> >> >> ><anonymous@discussions.microsoft.com> wrote in
> message
> >> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
> >> >> >> I just doublechecked to make sure I was looking at
> >> the
> >> >> >> right values and those are the exact values I
> have.
> >> >> Under
> >> >> >>
> >> >>
> >>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
> >> v
> >> >> >> c\Configuration\"Certifcate Name"
> >> >> >>
> >> >> >> I have
> >> >> >> Validity Period REG_SZ Years
> >> >> >> Validity Period Units REG_DWORD 2
> >> >> >>
> >> >> >> Thanks for all your help, but I am still not sure
> >> what I
> >> >> >> am doing wrong.
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >I think you are looking at wrong values:
> >> >> >> >
> >> >> >> >Under
> >> >> >>
> >> >>
> >>
> >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
> >> S
> >> >> >> vc\Configuration\<
> >> >> >> >CAName>
> >> >> >> >
> >> >> >> >Set this values like this:
> >> >> >> >
> >> >> >> >REG_SZ ValidityPeriod Years
> >> >> >> >REG_DWORD ValidityPeriodUnits 2
> >> >> >> >
> >> >> >> >(default value for REG_DWORD ValidityPeriodUnits
> >> is 1 )
> >> >> >> >
> >> >> >> >Again check the posted article again! Also check
> >> Paul's
> >> >> >> post!
> >> >> >> >
> >> >> >> >Mike
> >> >> >> >
> >> >> >> ><anonymous@discussions.microsoft.com> wrote in
> >> message
> >> >> >> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
> >> >> >> >> Years.
> >> >> >> >>
> >> >> >> >> >-----Original Message-----
> >> >> >> >> >Scott,
> >> >> >> >> >
> >> >> >> >> >What value do you have
> >> under "ValidityPeriodUnits"
> >> >> >> >> Registry Key?
> >> >> >> >> >
> >> >> >> >> >Mike
> >> >> >> >> >
> >> >> >> >> >"Scott25"
> <anonymous@discussions.microsoft.com>
> >> >> wrote
> >> >> >> in
> >> >> >> >> message
> >> >> >> >> >news:3aa601c48f92$bc102b70$a601280a@phx.gbl...
> >> >> >> >> >> Thanks for the article. I followed it and
> >> >> discovered
> >> >> >> >> >> that everything in my registry was already
> set
> >> >> >> >> correctly.
> >> >> >> >> >>
> >> >> >> >> >> My root certificate is correctly being
> issued
> >> >> with a
> >> >> >> 2
> >> >> >> >> >> year expiration date.
> >> >> >> >> >>
> >> >> >> >> >> My problem is that all the certificates
> that I
> >> >> issue
> >> >> >> to
> >> >> >> >> >> my VPN keys that are based on that root
> >> >> certificate
> >> >> >> >> have
> >> >> >> >> >> an expiration date of only 1 year. I don't
> >> >> >> understand
> >> >> >> >> >> why these would have a different expiration
> >> date.
> >> >> >> >> >>
> >> >> >> >> >> Any other thoughts? Thanks for all your
> help.
> >> >> >> >> >>
> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >Hi Scott,
> >> >> >> >> >> >
> >> >> >> >> >> >How To Change the Expiration Date of
> >> Certificates
> >> >> >> That
> >> >> >> >> >> Are Issued by a
> >> >> >> >> >> >Windows Server 2003 or a Windows 2000
> Server
> >> >> >> >> Certificate
> >> >> >> >> >> Authority
> >> >> >> >> >> >http://support.microsoft.com/default.aspx?
> >> >> >> scid=kb;en-
> >> >> >> >> >> us;254632&Product=win2000
> >> >> >> >> >> >
> >> >> >> >> >> >Feel free to post back if you have any
> >> questions
> >> >> >> >> >> regarding this.
> >> >> >> >> >> >
> >> >> >> >> >> >Mike
> >> >> >> >> >> >
> >> >> >> >> >> >"Scott25"
> >> <anonymous@discussions.microsoft.com>
> >> >> >> wrote
> >> >> >> >> in
> >> >> >> >> >> message
> >> >> >> >> >> >news:01bf01c48f89$a7d80460
> >> $a401280a@phx.gbl...
> >> >> >> >> >> >> My main certificate was set to expire on
> >> >> September
> >> >> >> >> 10,
> >> >> >> >> >> >> 2004. I renewed the certificate with the
> >> same
> >> >> >> >> private
> >> >> >> >> >> >> key, and it is now set to expire on Sep
> 1,
> >> 2006
> >> >> >> >> >> >> (basically 2 years from today) This
> >> seemed to
> >> >> >> work
> >> >> >> >> >> >> correctly. When I now issue a new
> >> certificate
> >> >> to
> >> >> >> a
> >> >> >> >> >> smart
> >> >> >> >> >> >> card for VPN purposes, it gives the
> >> >> certificate an
> >> >> >> >> >> >> expiration date of Sep 1, 2005 (A year
> >> before
> >> >> the
> >> >> >> >> base
> >> >> >> >> >> >> certificate is set to expire).
> >> >> >> >> >> >>
> >> >> >> >> >> >> I don't want to have to renew all the
> >> company's
> >> >> >> VPN
> >> >> >> >> >> keys
> >> >> >> >> >> >> in a year. How can I set the expiration
> >> date
> >> >> to
> >> >> >> the
> >> >> >> >> >> same
> >> >> >> >> >> >> as the root cert?
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >.
> >> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >.
> >> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
Anonymous
September 1, 2004 11:16:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Smartcard Logon.

>-----Original Message-----
>In the web interface you can select between different
Certificate Templates
>(e.g. Users, Administrator, SmartCard User, IPSec, ...).
Which one do you
>select when issuing your certificates?
>
>http://freeweb.siol.net/mpihler/templates.jpg
>
>Mike
>
>"Scott25" <anonymous@discussions.microsoft.com> wrote in
message
>news:00a901c49045$2cda6570$a401280a@phx.gbl...
>> Not quite sure what you mean when you refer
>> to "Template." I am issuing certificates by going
through
>> a web interface for microsoft certification services.
All
>> of the issued certificates show up under Certification
>> Authority, Under the Company Name, and then Issued
>> Certificates.
>>
>> >-----Original Message-----
>> >Which template do you use to issue certificate?
>> >
>> >Mike
>> >
>> >"Scott25" <anonymous@discussions.microsoft.com> wrote
in
>> message
>> >news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
>> >> Ok, I may not be able to get around it then.
However, I
>> >> know 2 years ago when they set this up, they issued
VPN
>> >> certificates that had a 2 year expiration period.
>> >> Everyone who set this up is gone though, and we are
not
>> >> sure how they did this. Thanks for all your help
>> though.
>> >>
>> >> >-----Original Message-----
>> >> >It looks as Paul suggested that this 1 year limit
is
>> set
>> >> in certificate
>> >> >template. This is not a problem if you have
standalone
>> >> CA setup.
>> >> >
>> >> >Unfortunately on Windows 2000 you can't edit
>> (customize)
>> >> templates. You can
>> >> >create customized templates on Windows 2003.
>> >> >
>> >> >Mike
>> >> >
>> >> ><anonymous@discussions.microsoft.com> wrote in
message
>> >> >news:434b01c49030$f348c900$a301280a@phx.gbl...
>> >> >> It says Enterprise Root CA. It is the only CA
on our
>> >> >> network.
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >How do you have this CA setup? Is this an
Enterprise
>> >> Root
>> >> >> CA or Standalone
>> >> >> >Root CA?
>> >> >> >
>> >> >> >Mike
>> >> >> >
>> >> >> ><anonymous@discussions.microsoft.com> wrote in
>> message
>> >> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
>> >> >> >> I just doublechecked to make sure I was
looking at
>> >> the
>> >> >> >> right values and those are the exact values I
>> have.
>> >> >> Under
>> >> >> >>
>> >> >>
>> >>
>>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
>> >> v
>> >> >> >> c\Configuration\"Certifcate Name"
>> >> >> >>
>> >> >> >> I have
>> >> >> >> Validity Period REG_SZ Years
>> >> >> >> Validity Period Units REG_DWORD 2
>> >> >> >>
>> >> >> >> Thanks for all your help, but I am still not
sure
>> >> what I
>> >> >> >> am doing wrong.
>> >> >> >>
>> >> >> >> >-----Original Message-----
>> >> >> >> >I think you are looking at wrong values:
>> >> >> >> >
>> >> >> >> >Under
>> >> >> >>
>> >> >>
>> >>
>>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
>> >> S
>> >> >> >> vc\Configuration\<
>> >> >> >> >CAName>
>> >> >> >> >
>> >> >> >> >Set this values like this:
>> >> >> >> >
>> >> >> >> >REG_SZ ValidityPeriod Years
>> >> >> >> >REG_DWORD ValidityPeriodUnits 2
>> >> >> >> >
>> >> >> >> >(default value for REG_DWORD
ValidityPeriodUnits
>> >> is 1 )
>> >> >> >> >
>> >> >> >> >Again check the posted article again! Also
check
>> >> Paul's
>> >> >> >> post!
>> >> >> >> >
>> >> >> >> >Mike
>> >> >> >> >
>> >> >> >> ><anonymous@discussions.microsoft.com> wrote
in
>> >> message
>> >> >> >> >news:425001c49027$d198c1b0
$a301280a@phx.gbl...
>> >> >> >> >> Years.
>> >> >> >> >>
>> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >Scott,
>> >> >> >> >> >
>> >> >> >> >> >What value do you have
>> >> under "ValidityPeriodUnits"
>> >> >> >> >> Registry Key?
>> >> >> >> >> >
>> >> >> >> >> >Mike
>> >> >> >> >> >
>> >> >> >> >> >"Scott25"
>> <anonymous@discussions.microsoft.com>
>> >> >> wrote
>> >> >> >> in
>> >> >> >> >> message
>> >> >> >> >> >news:3aa601c48f92$bc102b70
$a601280a@phx.gbl...
>> >> >> >> >> >> Thanks for the article. I followed it
and
>> >> >> discovered
>> >> >> >> >> >> that everything in my registry was
already
>> set
>> >> >> >> >> correctly.
>> >> >> >> >> >>
>> >> >> >> >> >> My root certificate is correctly being
>> issued
>> >> >> with a
>> >> >> >> 2
>> >> >> >> >> >> year expiration date.
>> >> >> >> >> >>
>> >> >> >> >> >> My problem is that all the certificates
>> that I
>> >> >> issue
>> >> >> >> to
>> >> >> >> >> >> my VPN keys that are based on that root
>> >> >> certificate
>> >> >> >> >> have
>> >> >> >> >> >> an expiration date of only 1 year. I
don't
>> >> >> >> understand
>> >> >> >> >> >> why these would have a different
expiration
>> >> date.
>> >> >> >> >> >>
>> >> >> >> >> >> Any other thoughts? Thanks for all your
>> help.
>> >> >> >> >> >>
>> >> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >> >Hi Scott,
>> >> >> >> >> >> >
>> >> >> >> >> >> >How To Change the Expiration Date of
>> >> Certificates
>> >> >> >> That
>> >> >> >> >> >> Are Issued by a
>> >> >> >> >> >> >Windows Server 2003 or a Windows 2000
>> Server
>> >> >> >> >> Certificate
>> >> >> >> >> >> Authority
>> >> >> >> >> >>
>http://support.microsoft.com/default.aspx?
>> >> >> >> scid=kb;en-
>> >> >> >> >> >> us;254632&Product=win2000
>> >> >> >> >> >> >
>> >> >> >> >> >> >Feel free to post back if you have any
>> >> questions
>> >> >> >> >> >> regarding this.
>> >> >> >> >> >> >
>> >> >> >> >> >> >Mike
>> >> >> >> >> >> >
>> >> >> >> >> >> >"Scott25"
>> >> <anonymous@discussions.microsoft.com>
>> >> >> >> wrote
>> >> >> >> >> in
>> >> >> >> >> >> message
>> >> >> >> >> >> >news:01bf01c48f89$a7d80460
>> >> $a401280a@phx.gbl...
>> >> >> >> >> >> >> My main certificate was set to
expire on
>> >> >> September
>> >> >> >> >> 10,
>> >> >> >> >> >> >> 2004. I renewed the certificate
with the
>> >> same
>> >> >> >> >> private
>> >> >> >> >> >> >> key, and it is now set to expire on
Sep
>> 1,
>> >> 2006
>> >> >> >> >> >> >> (basically 2 years from today) This
>> >> seemed to
>> >> >> >> work
>> >> >> >> >> >> >> correctly. When I now issue a new
>> >> certificate
>> >> >> to
>> >> >> >> a
>> >> >> >> >> >> smart
>> >> >> >> >> >> >> card for VPN purposes, it gives the
>> >> >> certificate an
>> >> >> >> >> >> >> expiration date of Sep 1, 2005 (A
year
>> >> before
>> >> >> the
>> >> >> >> >> base
>> >> >> >> >> >> >> certificate is set to expire).
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> I don't want to have to renew all the
>> >> company's
>> >> >> >> VPN
>> >> >> >> >> >> keys
>> >> >> >> >> >> >> in a year. How can I set the
expiration
>> >> date
>> >> >> to
>> >> >> >> the
>> >> >> >> >> >> same
>> >> >> >> >> >> >> as the root cert?
>> >> >> >> >> >> >
>> >> >> >> >> >> >
>> >> >> >> >> >> >.
>> >> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >.
>> >> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >.
>> >> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 1, 2004 11:16:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

SmartCard Logon

Sorry, I keep forgetting to put in my name and it shows
up as anonymous. Thanks for all your help so far.


>-----Original Message-----
>In the web interface you can select between different
Certificate Templates
>(e.g. Users, Administrator, SmartCard User, IPSec, ...).
Which one do you
>select when issuing your certificates?
>
>http://freeweb.siol.net/mpihler/templates.jpg
>
>Mike
>
>"Scott25" <anonymous@discussions.microsoft.com> wrote in
message
>news:00a901c49045$2cda6570$a401280a@phx.gbl...
>> Not quite sure what you mean when you refer
>> to "Template." I am issuing certificates by going
through
>> a web interface for microsoft certification services.
All
>> of the issued certificates show up under Certification
>> Authority, Under the Company Name, and then Issued
>> Certificates.
>>
>> >-----Original Message-----
>> >Which template do you use to issue certificate?
>> >
>> >Mike
>> >
>> >"Scott25" <anonymous@discussions.microsoft.com> wrote
in
>> message
>> >news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
>> >> Ok, I may not be able to get around it then.
However, I
>> >> know 2 years ago when they set this up, they issued
VPN
>> >> certificates that had a 2 year expiration period.
>> >> Everyone who set this up is gone though, and we are
not
>> >> sure how they did this. Thanks for all your help
>> though.
>> >>
>> >> >-----Original Message-----
>> >> >It looks as Paul suggested that this 1 year limit
is
>> set
>> >> in certificate
>> >> >template. This is not a problem if you have
standalone
>> >> CA setup.
>> >> >
>> >> >Unfortunately on Windows 2000 you can't edit
>> (customize)
>> >> templates. You can
>> >> >create customized templates on Windows 2003.
>> >> >
>> >> >Mike
>> >> >
>> >> ><anonymous@discussions.microsoft.com> wrote in
message
>> >> >news:434b01c49030$f348c900$a301280a@phx.gbl...
>> >> >> It says Enterprise Root CA. It is the only CA
on our
>> >> >> network.
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >How do you have this CA setup? Is this an
Enterprise
>> >> Root
>> >> >> CA or Standalone
>> >> >> >Root CA?
>> >> >> >
>> >> >> >Mike
>> >> >> >
>> >> >> ><anonymous@discussions.microsoft.com> wrote in
>> message
>> >> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
>> >> >> >> I just doublechecked to make sure I was
looking at
>> >> the
>> >> >> >> right values and those are the exact values I
>> have.
>> >> >> Under
>> >> >> >>
>> >> >>
>> >>
>>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
>> >> v
>> >> >> >> c\Configuration\"Certifcate Name"
>> >> >> >>
>> >> >> >> I have
>> >> >> >> Validity Period REG_SZ Years
>> >> >> >> Validity Period Units REG_DWORD 2
>> >> >> >>
>> >> >> >> Thanks for all your help, but I am still not
sure
>> >> what I
>> >> >> >> am doing wrong.
>> >> >> >>
>> >> >> >> >-----Original Message-----
>> >> >> >> >I think you are looking at wrong values:
>> >> >> >> >
>> >> >> >> >Under
>> >> >> >>
>> >> >>
>> >>
>>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
>> >> S
>> >> >> >> vc\Configuration\<
>> >> >> >> >CAName>
>> >> >> >> >
>> >> >> >> >Set this values like this:
>> >> >> >> >
>> >> >> >> >REG_SZ ValidityPeriod Years
>> >> >> >> >REG_DWORD ValidityPeriodUnits 2
>> >> >> >> >
>> >> >> >> >(default value for REG_DWORD
ValidityPeriodUnits
>> >> is 1 )
>> >> >> >> >
>> >> >> >> >Again check the posted article again! Also
check
>> >> Paul's
>> >> >> >> post!
>> >> >> >> >
>> >> >> >> >Mike
>> >> >> >> >
>> >> >> >> ><anonymous@discussions.microsoft.com> wrote
in
>> >> message
>> >> >> >> >news:425001c49027$d198c1b0
$a301280a@phx.gbl...
>> >> >> >> >> Years.
>> >> >> >> >>
>> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >Scott,
>> >> >> >> >> >
>> >> >> >> >> >What value do you have
>> >> under "ValidityPeriodUnits"
>> >> >> >> >> Registry Key?
>> >> >> >> >> >
>> >> >> >> >> >Mike
>> >> >> >> >> >
>> >> >> >> >> >"Scott25"
>> <anonymous@discussions.microsoft.com>
>> >> >> wrote
>> >> >> >> in
>> >> >> >> >> message
>> >> >> >> >> >news:3aa601c48f92$bc102b70
$a601280a@phx.gbl...
>> >> >> >> >> >> Thanks for the article. I followed it
and
>> >> >> discovered
>> >> >> >> >> >> that everything in my registry was
already
>> set
>> >> >> >> >> correctly.
>> >> >> >> >> >>
>> >> >> >> >> >> My root certificate is correctly being
>> issued
>> >> >> with a
>> >> >> >> 2
>> >> >> >> >> >> year expiration date.
>> >> >> >> >> >>
>> >> >> >> >> >> My problem is that all the certificates
>> that I
>> >> >> issue
>> >> >> >> to
>> >> >> >> >> >> my VPN keys that are based on that root
>> >> >> certificate
>> >> >> >> >> have
>> >> >> >> >> >> an expiration date of only 1 year. I
don't
>> >> >> >> understand
>> >> >> >> >> >> why these would have a different
expiration
>> >> date.
>> >> >> >> >> >>
>> >> >> >> >> >> Any other thoughts? Thanks for all your
>> help.
>> >> >> >> >> >>
>> >> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >> >Hi Scott,
>> >> >> >> >> >> >
>> >> >> >> >> >> >How To Change the Expiration Date of
>> >> Certificates
>> >> >> >> That
>> >> >> >> >> >> Are Issued by a
>> >> >> >> >> >> >Windows Server 2003 or a Windows 2000
>> Server
>> >> >> >> >> Certificate
>> >> >> >> >> >> Authority
>> >> >> >> >> >>
>http://support.microsoft.com/default.aspx?
>> >> >> >> scid=kb;en-
>> >> >> >> >> >> us;254632&Product=win2000
>> >> >> >> >> >> >
>> >> >> >> >> >> >Feel free to post back if you have any
>> >> questions
>> >> >> >> >> >> regarding this.
>> >> >> >> >> >> >
>> >> >> >> >> >> >Mike
>> >> >> >> >> >> >
>> >> >> >> >> >> >"Scott25"
>> >> <anonymous@discussions.microsoft.com>
>> >> >> >> wrote
>> >> >> >> >> in
>> >> >> >> >> >> message
>> >> >> >> >> >> >news:01bf01c48f89$a7d80460
>> >> $a401280a@phx.gbl...
>> >> >> >> >> >> >> My main certificate was set to
expire on
>> >> >> September
>> >> >> >> >> 10,
>> >> >> >> >> >> >> 2004. I renewed the certificate
with the
>> >> same
>> >> >> >> >> private
>> >> >> >> >> >> >> key, and it is now set to expire on
Sep
>> 1,
>> >> 2006
>> >> >> >> >> >> >> (basically 2 years from today) This
>> >> seemed to
>> >> >> >> work
>> >> >> >> >> >> >> correctly. When I now issue a new
>> >> certificate
>> >> >> to
>> >> >> >> a
>> >> >> >> >> >> smart
>> >> >> >> >> >> >> card for VPN purposes, it gives the
>> >> >> certificate an
>> >> >> >> >> >> >> expiration date of Sep 1, 2005 (A
year
>> >> before
>> >> >> the
>> >> >> >> >> base
>> >> >> >> >> >> >> certificate is set to expire).
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> I don't want to have to renew all the
>> >> company's
>> >> >> >> VPN
>> >> >> >> >> >> keys
>> >> >> >> >> >> >> in a year. How can I set the
expiration
>> >> date
>> >> >> to
>> >> >> >> the
>> >> >> >> >> >> same
>> >> >> >> >> >> >> as the root cert?
>> >> >> >> >> >> >
>> >> >> >> >> >> >
>> >> >> >> >> >> >.
>> >> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >.
>> >> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >.
>> >> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 2, 2004 12:32:06 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Do you actually use Smart Cards to logon to domain -- or just to store
certificates for VPN? What CSP do you use (CSP = Cryptographic Service
Provider).

Mike

"Scott25" <anonymous@discussions.microsoft.com> wrote in message
news:459e01c49050$36eaafb0$a301280a@phx.gbl...
> SmartCard Logon
>
> Sorry, I keep forgetting to put in my name and it shows
> up as anonymous. Thanks for all your help so far.
>
>
> >-----Original Message-----
> >In the web interface you can select between different
> Certificate Templates
> >(e.g. Users, Administrator, SmartCard User, IPSec, ...).
> Which one do you
> >select when issuing your certificates?
> >
> >http://freeweb.siol.net/mpihler/templates.jpg
> >
> >Mike
> >
> >"Scott25" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:00a901c49045$2cda6570$a401280a@phx.gbl...
> >> Not quite sure what you mean when you refer
> >> to "Template." I am issuing certificates by going
> through
> >> a web interface for microsoft certification services.
> All
> >> of the issued certificates show up under Certification
> >> Authority, Under the Company Name, and then Issued
> >> Certificates.
> >>
> >> >-----Original Message-----
> >> >Which template do you use to issue certificate?
> >> >
> >> >Mike
> >> >
> >> >"Scott25" <anonymous@discussions.microsoft.com> wrote
> in
> >> message
> >> >news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
> >> >> Ok, I may not be able to get around it then.
> However, I
> >> >> know 2 years ago when they set this up, they issued
> VPN
> >> >> certificates that had a 2 year expiration period.
> >> >> Everyone who set this up is gone though, and we are
> not
> >> >> sure how they did this. Thanks for all your help
> >> though.
> >> >>
> >> >> >-----Original Message-----
> >> >> >It looks as Paul suggested that this 1 year limit
> is
> >> set
> >> >> in certificate
> >> >> >template. This is not a problem if you have
> standalone
> >> >> CA setup.
> >> >> >
> >> >> >Unfortunately on Windows 2000 you can't edit
> >> (customize)
> >> >> templates. You can
> >> >> >create customized templates on Windows 2003.
> >> >> >
> >> >> >Mike
> >> >> >
> >> >> ><anonymous@discussions.microsoft.com> wrote in
> message
> >> >> >news:434b01c49030$f348c900$a301280a@phx.gbl...
> >> >> >> It says Enterprise Root CA. It is the only CA
> on our
> >> >> >> network.
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >How do you have this CA setup? Is this an
> Enterprise
> >> >> Root
> >> >> >> CA or Standalone
> >> >> >> >Root CA?
> >> >> >> >
> >> >> >> >Mike
> >> >> >> >
> >> >> >> ><anonymous@discussions.microsoft.com> wrote in
> >> message
> >> >> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
> >> >> >> >> I just doublechecked to make sure I was
> looking at
> >> >> the
> >> >> >> >> right values and those are the exact values I
> >> have.
> >> >> >> Under
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
> >> >> v
> >> >> >> >> c\Configuration\"Certifcate Name"
> >> >> >> >>
> >> >> >> >> I have
> >> >> >> >> Validity Period REG_SZ Years
> >> >> >> >> Validity Period Units REG_DWORD 2
> >> >> >> >>
> >> >> >> >> Thanks for all your help, but I am still not
> sure
> >> >> what I
> >> >> >> >> am doing wrong.
> >> >> >> >>
> >> >> >> >> >-----Original Message-----
> >> >> >> >> >I think you are looking at wrong values:
> >> >> >> >> >
> >> >> >> >> >Under
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
> >> >> S
> >> >> >> >> vc\Configuration\<
> >> >> >> >> >CAName>
> >> >> >> >> >
> >> >> >> >> >Set this values like this:
> >> >> >> >> >
> >> >> >> >> >REG_SZ ValidityPeriod Years
> >> >> >> >> >REG_DWORD ValidityPeriodUnits 2
> >> >> >> >> >
> >> >> >> >> >(default value for REG_DWORD
> ValidityPeriodUnits
> >> >> is 1 )
> >> >> >> >> >
> >> >> >> >> >Again check the posted article again! Also
> check
> >> >> Paul's
> >> >> >> >> post!
> >> >> >> >> >
> >> >> >> >> >Mike
> >> >> >> >> >
> >> >> >> >> ><anonymous@discussions.microsoft.com> wrote
> in
> >> >> message
> >> >> >> >> >news:425001c49027$d198c1b0
> $a301280a@phx.gbl...
> >> >> >> >> >> Years.
> >> >> >> >> >>
> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >Scott,
> >> >> >> >> >> >
> >> >> >> >> >> >What value do you have
> >> >> under "ValidityPeriodUnits"
> >> >> >> >> >> Registry Key?
> >> >> >> >> >> >
> >> >> >> >> >> >Mike
> >> >> >> >> >> >
> >> >> >> >> >> >"Scott25"
> >> <anonymous@discussions.microsoft.com>
> >> >> >> wrote
> >> >> >> >> in
> >> >> >> >> >> message
> >> >> >> >> >> >news:3aa601c48f92$bc102b70
> $a601280a@phx.gbl...
> >> >> >> >> >> >> Thanks for the article. I followed it
> and
> >> >> >> discovered
> >> >> >> >> >> >> that everything in my registry was
> already
> >> set
> >> >> >> >> >> correctly.
> >> >> >> >> >> >>
> >> >> >> >> >> >> My root certificate is correctly being
> >> issued
> >> >> >> with a
> >> >> >> >> 2
> >> >> >> >> >> >> year expiration date.
> >> >> >> >> >> >>
> >> >> >> >> >> >> My problem is that all the certificates
> >> that I
> >> >> >> issue
> >> >> >> >> to
> >> >> >> >> >> >> my VPN keys that are based on that root
> >> >> >> certificate
> >> >> >> >> >> have
> >> >> >> >> >> >> an expiration date of only 1 year. I
> don't
> >> >> >> >> understand
> >> >> >> >> >> >> why these would have a different
> expiration
> >> >> date.
> >> >> >> >> >> >>
> >> >> >> >> >> >> Any other thoughts? Thanks for all your
> >> help.
> >> >> >> >> >> >>
> >> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >> >Hi Scott,
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >How To Change the Expiration Date of
> >> >> Certificates
> >> >> >> >> That
> >> >> >> >> >> >> Are Issued by a
> >> >> >> >> >> >> >Windows Server 2003 or a Windows 2000
> >> Server
> >> >> >> >> >> Certificate
> >> >> >> >> >> >> Authority
> >> >> >> >> >> >>
> >http://support.microsoft.com/default.aspx?
> >> >> >> >> scid=kb;en-
> >> >> >> >> >> >> us;254632&Product=win2000
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >Feel free to post back if you have any
> >> >> questions
> >> >> >> >> >> >> regarding this.
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >Mike
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >"Scott25"
> >> >> <anonymous@discussions.microsoft.com>
> >> >> >> >> wrote
> >> >> >> >> >> in
> >> >> >> >> >> >> message
> >> >> >> >> >> >> >news:01bf01c48f89$a7d80460
> >> >> $a401280a@phx.gbl...
> >> >> >> >> >> >> >> My main certificate was set to
> expire on
> >> >> >> September
> >> >> >> >> >> 10,
> >> >> >> >> >> >> >> 2004. I renewed the certificate
> with the
> >> >> same
> >> >> >> >> >> private
> >> >> >> >> >> >> >> key, and it is now set to expire on
> Sep
> >> 1,
> >> >> 2006
> >> >> >> >> >> >> >> (basically 2 years from today) This
> >> >> seemed to
> >> >> >> >> work
> >> >> >> >> >> >> >> correctly. When I now issue a new
> >> >> certificate
> >> >> >> to
> >> >> >> >> a
> >> >> >> >> >> >> smart
> >> >> >> >> >> >> >> card for VPN purposes, it gives the
> >> >> >> certificate an
> >> >> >> >> >> >> >> expiration date of Sep 1, 2005 (A
> year
> >> >> before
> >> >> >> the
> >> >> >> >> >> base
> >> >> >> >> >> >> >> certificate is set to expire).
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> I don't want to have to renew all the
> >> >> company's
> >> >> >> >> VPN
> >> >> >> >> >> >> keys
> >> >> >> >> >> >> >> in a year. How can I set the
> expiration
> >> >> date
> >> >> >> to
> >> >> >> >> the
> >> >> >> >> >> >> same
> >> >> >> >> >> >> >> as the root cert?
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >.
> >> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >.
> >> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >.
> >> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
Anonymous
September 2, 2004 12:32:07 AM

Archived from groups: microsoft.public.win2000.security (More info?)

CSP: eToken base Cryptographic Provider

The smart cards do hold the certificates, but I am not
quite sure from a technical perspective how VPN works.
We set up a VPN connection that uses the smart cards
which hold the certificate. The root certificate also
has to be loaded on to the computer that is VPN'd in.
The VPN is based on the smart cards though.

>-----Original Message-----
>Do you actually use Smart Cards to logon to domain -- or
just to store
>certificates for VPN? What CSP do you use (CSP =
Cryptographic Service
>Provider).
>
>Mike
>
>"Scott25" <anonymous@discussions.microsoft.com> wrote in
message
>news:459e01c49050$36eaafb0$a301280a@phx.gbl...
>> SmartCard Logon
>>
>> Sorry, I keep forgetting to put in my name and it shows
>> up as anonymous. Thanks for all your help so far.
>>
>>
>> >-----Original Message-----
>> >In the web interface you can select between different
>> Certificate Templates
>> >(e.g. Users, Administrator, SmartCard User,
IPSec, ...).
>> Which one do you
>> >select when issuing your certificates?
>> >
>> >http://freeweb.siol.net/mpihler/templates.jpg
>> >
>> >Mike
>> >
>> >"Scott25" <anonymous@discussions.microsoft.com> wrote
in
>> message
>> >news:00a901c49045$2cda6570$a401280a@phx.gbl...
>> >> Not quite sure what you mean when you refer
>> >> to "Template." I am issuing certificates by going
>> through
>> >> a web interface for microsoft certification
services.
>> All
>> >> of the issued certificates show up under
Certification
>> >> Authority, Under the Company Name, and then Issued
>> >> Certificates.
>> >>
>> >> >-----Original Message-----
>> >> >Which template do you use to issue certificate?
>> >> >
>> >> >Mike
>> >> >
>> >> >"Scott25" <anonymous@discussions.microsoft.com>
wrote
>> in
>> >> message
>> >> >news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
>> >> >> Ok, I may not be able to get around it then.
>> However, I
>> >> >> know 2 years ago when they set this up, they
issued
>> VPN
>> >> >> certificates that had a 2 year expiration period.
>> >> >> Everyone who set this up is gone though, and we
are
>> not
>> >> >> sure how they did this. Thanks for all your help
>> >> though.
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >It looks as Paul suggested that this 1 year
limit
>> is
>> >> set
>> >> >> in certificate
>> >> >> >template. This is not a problem if you have
>> standalone
>> >> >> CA setup.
>> >> >> >
>> >> >> >Unfortunately on Windows 2000 you can't edit
>> >> (customize)
>> >> >> templates. You can
>> >> >> >create customized templates on Windows 2003.
>> >> >> >
>> >> >> >Mike
>> >> >> >
>> >> >> ><anonymous@discussions.microsoft.com> wrote in
>> message
>> >> >> >news:434b01c49030$f348c900$a301280a@phx.gbl...
>> >> >> >> It says Enterprise Root CA. It is the only CA
>> on our
>> >> >> >> network.
>> >> >> >>
>> >> >> >> >-----Original Message-----
>> >> >> >> >How do you have this CA setup? Is this an
>> Enterprise
>> >> >> Root
>> >> >> >> CA or Standalone
>> >> >> >> >Root CA?
>> >> >> >> >
>> >> >> >> >Mike
>> >> >> >> >
>> >> >> >> ><anonymous@discussions.microsoft.com> wrote
in
>> >> message
>> >> >> >> >news:097801c4902d$b98389b0
$a401280a@phx.gbl...
>> >> >> >> >> I just doublechecked to make sure I was
>> looking at
>> >> >> the
>> >> >> >> >> right values and those are the exact
values I
>> >> have.
>> >> >> >> Under
>> >> >> >> >>
>> >> >> >>
>> >> >>
>> >>
>>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
>> >> >> v
>> >> >> >> >> c\Configuration\"Certifcate Name"
>> >> >> >> >>
>> >> >> >> >> I have
>> >> >> >> >> Validity Period REG_SZ Years
>> >> >> >> >> Validity Period Units REG_DWORD 2
>> >> >> >> >>
>> >> >> >> >> Thanks for all your help, but I am still
not
>> sure
>> >> >> what I
>> >> >> >> >> am doing wrong.
>> >> >> >> >>
>> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >I think you are looking at wrong values:
>> >> >> >> >> >
>> >> >> >> >> >Under
>> >> >> >> >>
>> >> >> >>
>> >> >>
>> >>
>>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
>> >> >> S
>> >> >> >> >> vc\Configuration\<
>> >> >> >> >> >CAName>
>> >> >> >> >> >
>> >> >> >> >> >Set this values like this:
>> >> >> >> >> >
>> >> >> >> >> >REG_SZ ValidityPeriod
Years
>> >> >> >> >> >REG_DWORD ValidityPeriodUnits 2
>> >> >> >> >> >
>> >> >> >> >> >(default value for REG_DWORD
>> ValidityPeriodUnits
>> >> >> is 1 )
>> >> >> >> >> >
>> >> >> >> >> >Again check the posted article again! Also
>> check
>> >> >> Paul's
>> >> >> >> >> post!
>> >> >> >> >> >
>> >> >> >> >> >Mike
>> >> >> >> >> >
>> >> >> >> >> ><anonymous@discussions.microsoft.com>
wrote
>> in
>> >> >> message
>> >> >> >> >> >news:425001c49027$d198c1b0
>> $a301280a@phx.gbl...
>> >> >> >> >> >> Years.
>> >> >> >> >> >>
>> >> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >> >Scott,
>> >> >> >> >> >> >
>> >> >> >> >> >> >What value do you have
>> >> >> under "ValidityPeriodUnits"
>> >> >> >> >> >> Registry Key?
>> >> >> >> >> >> >
>> >> >> >> >> >> >Mike
>> >> >> >> >> >> >
>> >> >> >> >> >> >"Scott25"
>> >> <anonymous@discussions.microsoft.com>
>> >> >> >> wrote
>> >> >> >> >> in
>> >> >> >> >> >> message
>> >> >> >> >> >> >news:3aa601c48f92$bc102b70
>> $a601280a@phx.gbl...
>> >> >> >> >> >> >> Thanks for the article. I followed
it
>> and
>> >> >> >> discovered
>> >> >> >> >> >> >> that everything in my registry was
>> already
>> >> set
>> >> >> >> >> >> correctly.
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> My root certificate is correctly
being
>> >> issued
>> >> >> >> with a
>> >> >> >> >> 2
>> >> >> >> >> >> >> year expiration date.
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> My problem is that all the
certificates
>> >> that I
>> >> >> >> issue
>> >> >> >> >> to
>> >> >> >> >> >> >> my VPN keys that are based on that
root
>> >> >> >> certificate
>> >> >> >> >> >> have
>> >> >> >> >> >> >> an expiration date of only 1 year. I
>> don't
>> >> >> >> >> understand
>> >> >> >> >> >> >> why these would have a different
>> expiration
>> >> >> date.
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> Any other thoughts? Thanks for all
your
>> >> help.
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >> >> >Hi Scott,
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >How To Change the Expiration Date of
>> >> >> Certificates
>> >> >> >> >> That
>> >> >> >> >> >> >> Are Issued by a
>> >> >> >> >> >> >> >Windows Server 2003 or a Windows
2000
>> >> Server
>> >> >> >> >> >> Certificate
>> >> >> >> >> >> >> Authority
>> >> >> >> >> >> >>
>> >http://support.microsoft.com/default.aspx?
>> >> >> >> >> scid=kb;en-
>> >> >> >> >> >> >> us;254632&Product=win2000
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >Feel free to post back if you have
any
>> >> >> questions
>> >> >> >> >> >> >> regarding this.
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >Mike
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >"Scott25"
>> >> >> <anonymous@discussions.microsoft.com>
>> >> >> >> >> wrote
>> >> >> >> >> >> in
>> >> >> >> >> >> >> message
>> >> >> >> >> >> >> >news:01bf01c48f89$a7d80460
>> >> >> $a401280a@phx.gbl...
>> >> >> >> >> >> >> >> My main certificate was set to
>> expire on
>> >> >> >> September
>> >> >> >> >> >> 10,
>> >> >> >> >> >> >> >> 2004. I renewed the certificate
>> with the
>> >> >> same
>> >> >> >> >> >> private
>> >> >> >> >> >> >> >> key, and it is now set to expire
on
>> Sep
>> >> 1,
>> >> >> 2006
>> >> >> >> >> >> >> >> (basically 2 years from today)
This
>> >> >> seemed to
>> >> >> >> >> work
>> >> >> >> >> >> >> >> correctly. When I now issue a new
>> >> >> certificate
>> >> >> >> to
>> >> >> >> >> a
>> >> >> >> >> >> >> smart
>> >> >> >> >> >> >> >> card for VPN purposes, it gives
the
>> >> >> >> certificate an
>> >> >> >> >> >> >> >> expiration date of Sep 1, 2005 (A
>> year
>> >> >> before
>> >> >> >> the
>> >> >> >> >> >> base
>> >> >> >> >> >> >> >> certificate is set to expire).
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> I don't want to have to renew all
the
>> >> >> company's
>> >> >> >> >> VPN
>> >> >> >> >> >> >> keys
>> >> >> >> >> >> >> >> in a year. How can I set the
>> expiration
>> >> >> date
>> >> >> >> to
>> >> >> >> >> the
>> >> >> >> >> >> >> same
>> >> >> >> >> >> >> >> as the root cert?
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >.
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >
>> >> >> >> >> >> >
>> >> >> >> >> >> >.
>> >> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >.
>> >> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >.
>> >> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 2, 2004 1:48:44 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Scott,

Sorry, but I can't seem to find a way around this... One solution would be
to migrate to Windows 2003 Enterprise CA. There you can edit templates and
change validity period.

Mike

"Scott25" <anonymous@discussions.microsoft.com> wrote in message
news:447c01c49053$98d381e0$a501280a@phx.gbl...
> CSP: eToken base Cryptographic Provider
>
> The smart cards do hold the certificates, but I am not
> quite sure from a technical perspective how VPN works.
> We set up a VPN connection that uses the smart cards
> which hold the certificate. The root certificate also
> has to be loaded on to the computer that is VPN'd in.
> The VPN is based on the smart cards though.
>
> >-----Original Message-----
> >Do you actually use Smart Cards to logon to domain -- or
> just to store
> >certificates for VPN? What CSP do you use (CSP =
> Cryptographic Service
> >Provider).
> >
> >Mike
> >
> >"Scott25" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:459e01c49050$36eaafb0$a301280a@phx.gbl...
> >> SmartCard Logon
> >>
> >> Sorry, I keep forgetting to put in my name and it shows
> >> up as anonymous. Thanks for all your help so far.
> >>
> >>
> >> >-----Original Message-----
> >> >In the web interface you can select between different
> >> Certificate Templates
> >> >(e.g. Users, Administrator, SmartCard User,
> IPSec, ...).
> >> Which one do you
> >> >select when issuing your certificates?
> >> >
> >> >http://freeweb.siol.net/mpihler/templates.jpg
> >> >
> >> >Mike
> >> >
> >> >"Scott25" <anonymous@discussions.microsoft.com> wrote
> in
> >> message
> >> >news:00a901c49045$2cda6570$a401280a@phx.gbl...
> >> >> Not quite sure what you mean when you refer
> >> >> to "Template." I am issuing certificates by going
> >> through
> >> >> a web interface for microsoft certification
> services.
> >> All
> >> >> of the issued certificates show up under
> Certification
> >> >> Authority, Under the Company Name, and then Issued
> >> >> Certificates.
> >> >>
> >> >> >-----Original Message-----
> >> >> >Which template do you use to issue certificate?
> >> >> >
> >> >> >Mike
> >> >> >
> >> >> >"Scott25" <anonymous@discussions.microsoft.com>
> wrote
> >> in
> >> >> message
> >> >> >news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
> >> >> >> Ok, I may not be able to get around it then.
> >> However, I
> >> >> >> know 2 years ago when they set this up, they
> issued
> >> VPN
> >> >> >> certificates that had a 2 year expiration period.
> >> >> >> Everyone who set this up is gone though, and we
> are
> >> not
> >> >> >> sure how they did this. Thanks for all your help
> >> >> though.
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >It looks as Paul suggested that this 1 year
> limit
> >> is
> >> >> set
> >> >> >> in certificate
> >> >> >> >template. This is not a problem if you have
> >> standalone
> >> >> >> CA setup.
> >> >> >> >
> >> >> >> >Unfortunately on Windows 2000 you can't edit
> >> >> (customize)
> >> >> >> templates. You can
> >> >> >> >create customized templates on Windows 2003.
> >> >> >> >
> >> >> >> >Mike
> >> >> >> >
> >> >> >> ><anonymous@discussions.microsoft.com> wrote in
> >> message
> >> >> >> >news:434b01c49030$f348c900$a301280a@phx.gbl...
> >> >> >> >> It says Enterprise Root CA. It is the only CA
> >> on our
> >> >> >> >> network.
> >> >> >> >>
> >> >> >> >> >-----Original Message-----
> >> >> >> >> >How do you have this CA setup? Is this an
> >> Enterprise
> >> >> >> Root
> >> >> >> >> CA or Standalone
> >> >> >> >> >Root CA?
> >> >> >> >> >
> >> >> >> >> >Mike
> >> >> >> >> >
> >> >> >> >> ><anonymous@discussions.microsoft.com> wrote
> in
> >> >> message
> >> >> >> >> >news:097801c4902d$b98389b0
> $a401280a@phx.gbl...
> >> >> >> >> >> I just doublechecked to make sure I was
> >> looking at
> >> >> >> the
> >> >> >> >> >> right values and those are the exact
> values I
> >> >> have.
> >> >> >> >> Under
> >> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
> >> >> >> v
> >> >> >> >> >> c\Configuration\"Certifcate Name"
> >> >> >> >> >>
> >> >> >> >> >> I have
> >> >> >> >> >> Validity Period REG_SZ Years
> >> >> >> >> >> Validity Period Units REG_DWORD 2
> >> >> >> >> >>
> >> >> >> >> >> Thanks for all your help, but I am still
> not
> >> sure
> >> >> >> what I
> >> >> >> >> >> am doing wrong.
> >> >> >> >> >>
> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >I think you are looking at wrong values:
> >> >> >> >> >> >
> >> >> >> >> >> >Under
> >> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
> >> >> >> S
> >> >> >> >> >> vc\Configuration\<
> >> >> >> >> >> >CAName>
> >> >> >> >> >> >
> >> >> >> >> >> >Set this values like this:
> >> >> >> >> >> >
> >> >> >> >> >> >REG_SZ ValidityPeriod
> Years
> >> >> >> >> >> >REG_DWORD ValidityPeriodUnits 2
> >> >> >> >> >> >
> >> >> >> >> >> >(default value for REG_DWORD
> >> ValidityPeriodUnits
> >> >> >> is 1 )
> >> >> >> >> >> >
> >> >> >> >> >> >Again check the posted article again! Also
> >> check
> >> >> >> Paul's
> >> >> >> >> >> post!
> >> >> >> >> >> >
> >> >> >> >> >> >Mike
> >> >> >> >> >> >
> >> >> >> >> >> ><anonymous@discussions.microsoft.com>
> wrote
> >> in
> >> >> >> message
> >> >> >> >> >> >news:425001c49027$d198c1b0
> >> $a301280a@phx.gbl...
> >> >> >> >> >> >> Years.
> >> >> >> >> >> >>
> >> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >> >Scott,
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >What value do you have
> >> >> >> under "ValidityPeriodUnits"
> >> >> >> >> >> >> Registry Key?
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >Mike
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >"Scott25"
> >> >> <anonymous@discussions.microsoft.com>
> >> >> >> >> wrote
> >> >> >> >> >> in
> >> >> >> >> >> >> message
> >> >> >> >> >> >> >news:3aa601c48f92$bc102b70
> >> $a601280a@phx.gbl...
> >> >> >> >> >> >> >> Thanks for the article. I followed
> it
> >> and
> >> >> >> >> discovered
> >> >> >> >> >> >> >> that everything in my registry was
> >> already
> >> >> set
> >> >> >> >> >> >> correctly.
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> My root certificate is correctly
> being
> >> >> issued
> >> >> >> >> with a
> >> >> >> >> >> 2
> >> >> >> >> >> >> >> year expiration date.
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> My problem is that all the
> certificates
> >> >> that I
> >> >> >> >> issue
> >> >> >> >> >> to
> >> >> >> >> >> >> >> my VPN keys that are based on that
> root
> >> >> >> >> certificate
> >> >> >> >> >> >> have
> >> >> >> >> >> >> >> an expiration date of only 1 year. I
> >> don't
> >> >> >> >> >> understand
> >> >> >> >> >> >> >> why these would have a different
> >> expiration
> >> >> >> date.
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> Any other thoughts? Thanks for all
> your
> >> >> help.
> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> >-----Original Message-----
> >> >> >> >> >> >> >> >Hi Scott,
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >How To Change the Expiration Date of
> >> >> >> Certificates
> >> >> >> >> >> That
> >> >> >> >> >> >> >> Are Issued by a
> >> >> >> >> >> >> >> >Windows Server 2003 or a Windows
> 2000
> >> >> Server
> >> >> >> >> >> >> Certificate
> >> >> >> >> >> >> >> Authority
> >> >> >> >> >> >> >>
> >> >http://support.microsoft.com/default.aspx?
> >> >> >> >> >> scid=kb;en-
> >> >> >> >> >> >> >> us;254632&Product=win2000
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >Feel free to post back if you have
> any
> >> >> >> questions
> >> >> >> >> >> >> >> regarding this.
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >Mike
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >"Scott25"
> >> >> >> <anonymous@discussions.microsoft.com>
> >> >> >> >> >> wrote
> >> >> >> >> >> >> in
> >> >> >> >> >> >> >> message
> >> >> >> >> >> >> >> >news:01bf01c48f89$a7d80460
> >> >> >> $a401280a@phx.gbl...
> >> >> >> >> >> >> >> >> My main certificate was set to
> >> expire on
> >> >> >> >> September
> >> >> >> >> >> >> 10,
> >> >> >> >> >> >> >> >> 2004. I renewed the certificate
> >> with the
> >> >> >> same
> >> >> >> >> >> >> private
> >> >> >> >> >> >> >> >> key, and it is now set to expire
> on
> >> Sep
> >> >> 1,
> >> >> >> 2006
> >> >> >> >> >> >> >> >> (basically 2 years from today)
> This
> >> >> >> seemed to
> >> >> >> >> >> work
> >> >> >> >> >> >> >> >> correctly. When I now issue a new
> >> >> >> certificate
> >> >> >> >> to
> >> >> >> >> >> a
> >> >> >> >> >> >> >> smart
> >> >> >> >> >> >> >> >> card for VPN purposes, it gives
> the
> >> >> >> >> certificate an
> >> >> >> >> >> >> >> >> expiration date of Sep 1, 2005 (A
> >> year
> >> >> >> before
> >> >> >> >> the
> >> >> >> >> >> >> base
> >> >> >> >> >> >> >> >> certificate is set to expire).
> >> >> >> >> >> >> >> >>
> >> >> >> >> >> >> >> >> I don't want to have to renew all
> the
> >> >> >> company's
> >> >> >> >> >> VPN
> >> >> >> >> >> >> >> keys
> >> >> >> >> >> >> >> >> in a year. How can I set the
> >> expiration
> >> >> >> date
> >> >> >> >> to
> >> >> >> >> >> the
> >> >> >> >> >> >> >> same
> >> >> >> >> >> >> >> >> as the root cert?
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >> >.
> >> >> >> >> >> >> >> >
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >
> >> >> >> >> >> >> >.
> >> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >.
> >> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >.
> >> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
Anonymous
September 2, 2004 4:21:50 PM

Archived from groups: microsoft.public.win2000.security (More info?)

One more thing. MS CA will not issue a user certificate
whose expiration will be BEYOND the issuing authority
certificate.

If you use 2003 online CA, it contains templates. You may
create a new template by copying an already available one
and modify the validty period issued using the template.
--Amjad.
>-----Original Message-----
>Not quite sure what you mean when you refer
>to "Template." I am issuing certificates by going
through
>a web interface for microsoft certification services.
All
>of the issued certificates show up under Certification
>Authority, Under the Company Name, and then Issued
>Certificates.
>
>>-----Original Message-----
>>Which template do you use to issue certificate?
>>
>>Mike
>>
>>"Scott25" <anonymous@discussions.microsoft.com> wrote in
>message
>>news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
>>> Ok, I may not be able to get around it then. However,
I
>>> know 2 years ago when they set this up, they issued VPN
>>> certificates that had a 2 year expiration period.
>>> Everyone who set this up is gone though, and we are not
>>> sure how they did this. Thanks for all your help
>though.
>>>
>>> >-----Original Message-----
>>> >It looks as Paul suggested that this 1 year limit is
>set
>>> in certificate
>>> >template. This is not a problem if you have standalone
>>> CA setup.
>>> >
>>> >Unfortunately on Windows 2000 you can't edit
>(customize)
>>> templates. You can
>>> >create customized templates on Windows 2003.
>>> >
>>> >Mike
>>> >
>>> ><anonymous@discussions.microsoft.com> wrote in message
>>> >news:434b01c49030$f348c900$a301280a@phx.gbl...
>>> >> It says Enterprise Root CA. It is the only CA on
our
>>> >> network.
>>> >>
>>> >> >-----Original Message-----
>>> >> >How do you have this CA setup? Is this an
Enterprise
>>> Root
>>> >> CA or Standalone
>>> >> >Root CA?
>>> >> >
>>> >> >Mike
>>> >> >
>>> >> ><anonymous@discussions.microsoft.com> wrote in
>message
>>> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
>>> >> >> I just doublechecked to make sure I was looking
at
>>> the
>>> >> >> right values and those are the exact values I
>have.
>>> >> Under
>>> >> >>
>>> >>
>>>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
>>> v
>>> >> >> c\Configuration\"Certifcate Name"
>>> >> >>
>>> >> >> I have
>>> >> >> Validity Period REG_SZ Years
>>> >> >> Validity Period Units REG_DWORD 2
>>> >> >>
>>> >> >> Thanks for all your help, but I am still not sure
>>> what I
>>> >> >> am doing wrong.
>>> >> >>
>>> >> >> >-----Original Message-----
>>> >> >> >I think you are looking at wrong values:
>>> >> >> >
>>> >> >> >Under
>>> >> >>
>>> >>
>>>
>>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
>>> S
>>> >> >> vc\Configuration\<
>>> >> >> >CAName>
>>> >> >> >
>>> >> >> >Set this values like this:
>>> >> >> >
>>> >> >> >REG_SZ ValidityPeriod Years
>>> >> >> >REG_DWORD ValidityPeriodUnits 2
>>> >> >> >
>>> >> >> >(default value for REG_DWORD ValidityPeriodUnits
>>> is 1 )
>>> >> >> >
>>> >> >> >Again check the posted article again! Also check
>>> Paul's
>>> >> >> post!
>>> >> >> >
>>> >> >> >Mike
>>> >> >> >
>>> >> >> ><anonymous@discussions.microsoft.com> wrote in
>>> message
>>> >> >> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
>>> >> >> >> Years.
>>> >> >> >>
>>> >> >> >> >-----Original Message-----
>>> >> >> >> >Scott,
>>> >> >> >> >
>>> >> >> >> >What value do you have
>>> under "ValidityPeriodUnits"
>>> >> >> >> Registry Key?
>>> >> >> >> >
>>> >> >> >> >Mike
>>> >> >> >> >
>>> >> >> >> >"Scott25"
><anonymous@discussions.microsoft.com>
>>> >> wrote
>>> >> >> in
>>> >> >> >> message
>>> >> >> >> >news:3aa601c48f92$bc102b70
$a601280a@phx.gbl...
>>> >> >> >> >> Thanks for the article. I followed it and
>>> >> discovered
>>> >> >> >> >> that everything in my registry was already
>set
>>> >> >> >> correctly.
>>> >> >> >> >>
>>> >> >> >> >> My root certificate is correctly being
>issued
>>> >> with a
>>> >> >> 2
>>> >> >> >> >> year expiration date.
>>> >> >> >> >>
>>> >> >> >> >> My problem is that all the certificates
>that I
>>> >> issue
>>> >> >> to
>>> >> >> >> >> my VPN keys that are based on that root
>>> >> certificate
>>> >> >> >> have
>>> >> >> >> >> an expiration date of only 1 year. I don't
>>> >> >> understand
>>> >> >> >> >> why these would have a different expiration
>>> date.
>>> >> >> >> >>
>>> >> >> >> >> Any other thoughts? Thanks for all your
>help.
>>> >> >> >> >>
>>> >> >> >> >> >-----Original Message-----
>>> >> >> >> >> >Hi Scott,
>>> >> >> >> >> >
>>> >> >> >> >> >How To Change the Expiration Date of
>>> Certificates
>>> >> >> That
>>> >> >> >> >> Are Issued by a
>>> >> >> >> >> >Windows Server 2003 or a Windows 2000
>Server
>>> >> >> >> Certificate
>>> >> >> >> >> Authority
>>> >> >> >> >> >http://support.microsoft.com/default.aspx?
>>> >> >> scid=kb;en-
>>> >> >> >> >> us;254632&Product=win2000
>>> >> >> >> >> >
>>> >> >> >> >> >Feel free to post back if you have any
>>> questions
>>> >> >> >> >> regarding this.
>>> >> >> >> >> >
>>> >> >> >> >> >Mike
>>> >> >> >> >> >
>>> >> >> >> >> >"Scott25"
>>> <anonymous@discussions.microsoft.com>
>>> >> >> wrote
>>> >> >> >> in
>>> >> >> >> >> message
>>> >> >> >> >> >news:01bf01c48f89$a7d80460
>>> $a401280a@phx.gbl...
>>> >> >> >> >> >> My main certificate was set to expire on
>>> >> September
>>> >> >> >> 10,
>>> >> >> >> >> >> 2004. I renewed the certificate with
the
>>> same
>>> >> >> >> private
>>> >> >> >> >> >> key, and it is now set to expire on Sep
>1,
>>> 2006
>>> >> >> >> >> >> (basically 2 years from today) This
>>> seemed to
>>> >> >> work
>>> >> >> >> >> >> correctly. When I now issue a new
>>> certificate
>>> >> to
>>> >> >> a
>>> >> >> >> >> smart
>>> >> >> >> >> >> card for VPN purposes, it gives the
>>> >> certificate an
>>> >> >> >> >> >> expiration date of Sep 1, 2005 (A year
>>> before
>>> >> the
>>> >> >> >> base
>>> >> >> >> >> >> certificate is set to expire).
>>> >> >> >> >> >>
>>> >> >> >> >> >> I don't want to have to renew all the
>>> company's
>>> >> >> VPN
>>> >> >> >> >> keys
>>> >> >> >> >> >> in a year. How can I set the expiration
>>> date
>>> >> to
>>> >> >> the
>>> >> >> >> >> same
>>> >> >> >> >> >> as the root cert?
>>> >> >> >> >> >
>>> >> >> >> >> >
>>> >> >> >> >> >.
>>> >> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >.
>>> >> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >.
>>> >> >> >
>>> >> >
>>> >> >
>>> >> >.
>>> >> >
>>> >
>>> >
>>> >.
>>> >
>>
>>
>>.
>>
>.
>
Anonymous
September 3, 2004 2:25:24 AM

Archived from groups: microsoft.public.win2000.security (More info?)

It's 2000 CA.

If e.g. CA cert is valid till e.g. 1.9.2006 and you have policy (template)
that should issue certificate for 5 years CA will create a certificate that
will be valid for 1.9.2006.

Mike

"Amjad." <anonymous@discussions.microsoft.com> wrote in message
news:04b601c49122$18928e70$3501280a@phx.gbl...
> One more thing. MS CA will not issue a user certificate
> whose expiration will be BEYOND the issuing authority
> certificate.
>
> If you use 2003 online CA, it contains templates. You may
> create a new template by copying an already available one
> and modify the validty period issued using the template.
> --Amjad.
> >-----Original Message-----
> >Not quite sure what you mean when you refer
> >to "Template." I am issuing certificates by going
> through
> >a web interface for microsoft certification services.
> All
> >of the issued certificates show up under Certification
> >Authority, Under the Company Name, and then Issued
> >Certificates.
> >
> >>-----Original Message-----
> >>Which template do you use to issue certificate?
> >>
> >>Mike
> >>
> >>"Scott25" <anonymous@discussions.microsoft.com> wrote in
> >message
> >>news:42e801c4903d$80cd4ec0$a501280a@phx.gbl...
> >>> Ok, I may not be able to get around it then. However,
> I
> >>> know 2 years ago when they set this up, they issued VPN
> >>> certificates that had a 2 year expiration period.
> >>> Everyone who set this up is gone though, and we are not
> >>> sure how they did this. Thanks for all your help
> >though.
> >>>
> >>> >-----Original Message-----
> >>> >It looks as Paul suggested that this 1 year limit is
> >set
> >>> in certificate
> >>> >template. This is not a problem if you have standalone
> >>> CA setup.
> >>> >
> >>> >Unfortunately on Windows 2000 you can't edit
> >(customize)
> >>> templates. You can
> >>> >create customized templates on Windows 2003.
> >>> >
> >>> >Mike
> >>> >
> >>> ><anonymous@discussions.microsoft.com> wrote in message
> >>> >news:434b01c49030$f348c900$a301280a@phx.gbl...
> >>> >> It says Enterprise Root CA. It is the only CA on
> our
> >>> >> network.
> >>> >>
> >>> >> >-----Original Message-----
> >>> >> >How do you have this CA setup? Is this an
> Enterprise
> >>> Root
> >>> >> CA or Standalone
> >>> >> >Root CA?
> >>> >> >
> >>> >> >Mike
> >>> >> >
> >>> >> ><anonymous@discussions.microsoft.com> wrote in
> >message
> >>> >> >news:097801c4902d$b98389b0$a401280a@phx.gbl...
> >>> >> >> I just doublechecked to make sure I was looking
> at
> >>> the
> >>> >> >> right values and those are the exact values I
> >have.
> >>> >> Under
> >>> >> >>
> >>> >>
> >>>
> >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertS
> >>> v
> >>> >> >> c\Configuration\"Certifcate Name"
> >>> >> >>
> >>> >> >> I have
> >>> >> >> Validity Period REG_SZ Years
> >>> >> >> Validity Period Units REG_DWORD 2
> >>> >> >>
> >>> >> >> Thanks for all your help, but I am still not sure
> >>> what I
> >>> >> >> am doing wrong.
> >>> >> >>
> >>> >> >> >-----Original Message-----
> >>> >> >> >I think you are looking at wrong values:
> >>> >> >> >
> >>> >> >> >Under
> >>> >> >>
> >>> >>
> >>>
> >>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cert
> >>> S
> >>> >> >> vc\Configuration\<
> >>> >> >> >CAName>
> >>> >> >> >
> >>> >> >> >Set this values like this:
> >>> >> >> >
> >>> >> >> >REG_SZ ValidityPeriod Years
> >>> >> >> >REG_DWORD ValidityPeriodUnits 2
> >>> >> >> >
> >>> >> >> >(default value for REG_DWORD ValidityPeriodUnits
> >>> is 1 )
> >>> >> >> >
> >>> >> >> >Again check the posted article again! Also check
> >>> Paul's
> >>> >> >> post!
> >>> >> >> >
> >>> >> >> >Mike
> >>> >> >> >
> >>> >> >> ><anonymous@discussions.microsoft.com> wrote in
> >>> message
> >>> >> >> >news:425001c49027$d198c1b0$a301280a@phx.gbl...
> >>> >> >> >> Years.
> >>> >> >> >>
> >>> >> >> >> >-----Original Message-----
> >>> >> >> >> >Scott,
> >>> >> >> >> >
> >>> >> >> >> >What value do you have
> >>> under "ValidityPeriodUnits"
> >>> >> >> >> Registry Key?
> >>> >> >> >> >
> >>> >> >> >> >Mike
> >>> >> >> >> >
> >>> >> >> >> >"Scott25"
> ><anonymous@discussions.microsoft.com>
> >>> >> wrote
> >>> >> >> in
> >>> >> >> >> message
> >>> >> >> >> >news:3aa601c48f92$bc102b70
> $a601280a@phx.gbl...
> >>> >> >> >> >> Thanks for the article. I followed it and
> >>> >> discovered
> >>> >> >> >> >> that everything in my registry was already
> >set
> >>> >> >> >> correctly.
> >>> >> >> >> >>
> >>> >> >> >> >> My root certificate is correctly being
> >issued
> >>> >> with a
> >>> >> >> 2
> >>> >> >> >> >> year expiration date.
> >>> >> >> >> >>
> >>> >> >> >> >> My problem is that all the certificates
> >that I
> >>> >> issue
> >>> >> >> to
> >>> >> >> >> >> my VPN keys that are based on that root
> >>> >> certificate
> >>> >> >> >> have
> >>> >> >> >> >> an expiration date of only 1 year. I don't
> >>> >> >> understand
> >>> >> >> >> >> why these would have a different expiration
> >>> date.
> >>> >> >> >> >>
> >>> >> >> >> >> Any other thoughts? Thanks for all your
> >help.
> >>> >> >> >> >>
> >>> >> >> >> >> >-----Original Message-----
> >>> >> >> >> >> >Hi Scott,
> >>> >> >> >> >> >
> >>> >> >> >> >> >How To Change the Expiration Date of
> >>> Certificates
> >>> >> >> That
> >>> >> >> >> >> Are Issued by a
> >>> >> >> >> >> >Windows Server 2003 or a Windows 2000
> >Server
> >>> >> >> >> Certificate
> >>> >> >> >> >> Authority
> >>> >> >> >> >> >http://support.microsoft.com/default.aspx?
> >>> >> >> scid=kb;en-
> >>> >> >> >> >> us;254632&Product=win2000
> >>> >> >> >> >> >
> >>> >> >> >> >> >Feel free to post back if you have any
> >>> questions
> >>> >> >> >> >> regarding this.
> >>> >> >> >> >> >
> >>> >> >> >> >> >Mike
> >>> >> >> >> >> >
> >>> >> >> >> >> >"Scott25"
> >>> <anonymous@discussions.microsoft.com>
> >>> >> >> wrote
> >>> >> >> >> in
> >>> >> >> >> >> message
> >>> >> >> >> >> >news:01bf01c48f89$a7d80460
> >>> $a401280a@phx.gbl...
> >>> >> >> >> >> >> My main certificate was set to expire on
> >>> >> September
> >>> >> >> >> 10,
> >>> >> >> >> >> >> 2004. I renewed the certificate with
> the
> >>> same
> >>> >> >> >> private
> >>> >> >> >> >> >> key, and it is now set to expire on Sep
> >1,
> >>> 2006
> >>> >> >> >> >> >> (basically 2 years from today) This
> >>> seemed to
> >>> >> >> work
> >>> >> >> >> >> >> correctly. When I now issue a new
> >>> certificate
> >>> >> to
> >>> >> >> a
> >>> >> >> >> >> smart
> >>> >> >> >> >> >> card for VPN purposes, it gives the
> >>> >> certificate an
> >>> >> >> >> >> >> expiration date of Sep 1, 2005 (A year
> >>> before
> >>> >> the
> >>> >> >> >> base
> >>> >> >> >> >> >> certificate is set to expire).
> >>> >> >> >> >> >>
> >>> >> >> >> >> >> I don't want to have to renew all the
> >>> company's
> >>> >> >> VPN
> >>> >> >> >> >> keys
> >>> >> >> >> >> >> in a year. How can I set the expiration
> >>> date
> >>> >> to
> >>> >> >> the
> >>> >> >> >> >> same
> >>> >> >> >> >> >> as the root cert?
> >>> >> >> >> >> >
> >>> >> >> >> >> >
> >>> >> >> >> >> >.
> >>> >> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> >.
> >>> >> >> >> >
> >>> >> >> >
> >>> >> >> >
> >>> >> >> >.
> >>> >> >> >
> >>> >> >
> >>> >> >
> >>> >> >.
> >>> >> >
> >>> >
> >>> >
> >>> >.
> >>> >
> >>
> >>
> >>.
> >>
> >.
> >
!