How to Renew Root Certificate of Microsoft CA with a longer validity period

You might have defined the root certificate validity period of Microsoft internal CA as 5 years at initial installation, and what if you want to change the validity period to a longer duration like 10 or 20 years later ? For this, we will need to create a CaPolicy.inf file under windows installation directory (typically C:\Windows) and put some settings and start the renewal process.

Create new text file and save it as CaPolicy.inf file under C:\Windows. In the file, put the following settings. Here, the RenewalValidityPeriodUnits is the expiration duration which measured in years as defined in RenewalValidityPeriod. You can learn these settings more at Microsoft site.

[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
CRLPeriod=Days
CRLPeriodUnits=2
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=4
ClockSkewMinutes=20
LoadDefaultTemplates=True
AlternateSignatureAlgorithm=0
ForceUTF8=0
EnableKeyCounting=0
Fig-1: Root Certificate Renewal

Then you can start the root certificate renewal process as shown in Fig-1. Please note that the CA will use the newly created root certificate. So, if your internal CA is standalone or offline CA, you would need to publish the newly created root certificate to the client root certificate store by running certutil command.

certutil -f -dspublish <the path of CA certificate> RootCA

If your CA is an enterprise CA, then it will publish the root certificate automatically and you need to do nothing.

Leave a Reply

Your email address will not be published. Required fields are marked *