Hi, I'm hoping somebody out there can help out...
I have a question about extending the lifetime of certificates that can be issued by our Subordinate (Issuing) Certification Authority. I've worked with Certificate Services, but don't have indepth knowledge of its inner workings (and I've tried Google search without much success).
We have 1 Enterprise Root and 1 Enterprise Subordinate Certification Authorities. They are running on Windows 2008 R2 SP1 Enterprise. We use the Subordinate for issuing certificates and the Root does pretty much nothing. We're running in a single forest, single domain (functional level 2008 R2) with a large Windows XP, Vista, 7, 2003, and 2008 base of workstations and servers. (We also have a large MAC base of devices as well.)
During Certificate Services installation, the Root was set up for 5 years (as seen in the Root Certification Authority template) and the Subordinate was set up for 2 years (as seen in the Subordinate Certification Authority template). These were the default values when we installed Certificate Services.
Now we need to start handing out 2 year certificates for our workstations. Increasing the lifetime of the workstation certificates is straight forward, but we need a longer lifetime on the Enterprise Certification Authorities so that the workstation certificates are not limited by the lifetime of the "issuing" servers.
Based on our workstation certificate requirements, I think that increasing the lifetime of the Root to 10+ years and the Subordinate to 5 years would be an ideal solution. We'd then renew the Subordinate every 3 years and the Root as required (to cover the lifetime of the Subordinate). The end goal being the issuance of 2 year workstation certificates without needing to renew the Root and Subordinate too often (while maintaining reasonable lifetimes for security purposes).
Is the easiest way to achieve our end goal to increase the lifetime of the Root Certification Authority and Subordinate Certification Authority templates and then get new certificates for the Root and Subordinate? If this is the easiest way to achieve our end goal, then I believe I'll need to do the following 3 main steps;
- duplicate the existing templates to version 2 templates so that the lifetimes can be increased
- issue/install a new certificate on the Root based on the newly duplicated Root Certification Authority template
- issue/install a new certificate on the Subordinate based on the newly duplicated Subordinate Certification Authority template
Based on the above 3 main steps, I have the following questions;
- Are there any concerns about breaking the trust of certificates that have already been issued?
- Is there guidance for getting the newly duplicated certificates on/issued to the Root and Subordinate? (Does the default renewal process look for specific template names and if so, could I rename the newly duplicated templates as the default names and rename the original templates to something like xxxOriginal?)
- In the future, would I then be able to follow the regular steps for renewing Certification Authority certificates?
Is there another and/or easier way to achieve our end goal? I'd appreciate any input/thoughts. Thanks, Joe.