Microsoft PKI – Change the Issuing Server’s Certificate Validity Period

The following are assumed in this scenario:

 - The root server is a standalone (off the domain) root CA server
 - The issuing server is an enterprise (on the domain) issuing CA server

By default, the issuing CA server certificate is good for one year. This is controlled by the root CA and is set to one year by default.

This can be verified on the root CA server:

Open PowerShell as admin:
     Certutil -getreg CA\ValidityPeriodUnits
     Certutil -getreg CA\ValidityPeriod

To change the issuing server’s certificate validity period to 5 years:

On the root standalone CA:
	Open PowerShell as admin
		Certutil -setreg CA\ValidityPeriodUnits 5

If ValidityPeriod is set to years already , no need to do the next command, but just in case:

Certutil -setreg CA\ValidityPeriod "Years"

For good measure:

restart-service certsvc

Verify the settings are what you want them to be:

Certutil -getreg CA\ValidityPeriodUnits
Certutil -getreg CA\ValidityPeriod

When you renew the enterprise issuing server’s certificate, it should be good for 5 years. Verify this by looking at the certificate properties.