15.9 Certificate expiry and certificate lifetimes

A certificate expires at the moment in time specified in the certificate’s “Valid to” field. Under normal circumstances, the issuing CA decides on the content of this field and the certificate validity period. Windows 2000 and Windows Server 2003 PKI also allow the certificate requestor to specify the validity period. This feature is disabled by default on enterprise CAs and enabled by default on stand-alone CAs. To enable this feature, use the following certutil command:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE

To disable this feature, use the following certutil command:

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTEENDDATE

The certificate lifetime preferences are set differently on enterprise and stand-alone CAs. On a stand-alone CA, the certificate lifetime is set using a set of registry hacks. Both the ValidityPeriod (which can be days, weeks, months, or years) and the ValidityPeriodUnits (holds a number) key are used to set the certificate lifetime. They are located in the HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ <CAName> registry container. The default lifetime of certificates issued by a stand-alone CA is 1 year. To change the certificate lifetime, you can use the following script calling on the certutil command:

certutil -setreg ca\ValidityPeriodUnits 2 certutil -setreg ca\ValidityPeriod "Years" net stop certsvcnet start certsvc

On an enterprise CA, the certificate validity period is set based on certificate template properties (from the General tab—as illustrated in Figure15.17). The lifetime specified in version 1 certificate templates cannot be changed. The lifetime specified in version 2 certificate templates can easily be changed using the Certificate Templates MMC snap-in. Most certificate templates have 1-year lifetimes. Exceptions are the CEP Encryption, Enrollment Agent, IPsec, and Web Server templates that have 2-year lifetimes and the EFS Recovery Agent, Root CA, and Subordinate CA templates that have 5-year lifetimes.

Windows certificate lifetimes support nested validity dates. This means that a certificate can never have a lifetime that is longer than the certificate lifetime of its issuing CA. For example, if the CA’s certificate is about to expire in 13 months and the default certificate lifetime is 2 years, the CA will issue certificates with a 1-year lifetime. The CA administrator should remember to renew The CA certificate early enough not to restrict the lifetime of newly generated certificates.

Within a PKI hierarchy, the lifetime of entities’ certificates will differ depending on the level at which the entity is located in the hierarchy. This is because the higher the entity is in the hierarchy, the more security features will be implemented to safeguard its private key. Remember that CA private key compromise at a higher level in a hierarchy has much more impact than lower in the hierarchy. Also, consider the nesting validity dates feature of Windows PKI: Because an issuing CA’s certificate is part of the certificate chain of all certificates it issues, its own CA certificate should be valid in order for any of the issued certificates to be valid. Thus the CA’s certificate must under all circumstances have a lifetime that is longer than the lifetime of the certificates it issues. We will come back to this topic in the next chapter on Windows PKI design.