We have a Windows Server 2003 root CA and a Windows server 2003 subordinate CA environment. Now the things is that the Root Ca cert is going to expire on 3rd April 2014 and need to renew it.
I simulated the Root CA and Subordinate CA in an isolated test environment. I was successfully able to renew the Root CA. However I am stumped about the validity of the Root CA. As far as my understanding goes the validity for the Root Ca certificate is handled by the settings specified in the capolicy.inf file. I have the following settings in the capolicy.inf file:
[Version] Signature= “$Windows NT$” [PolicyStatementExtension]
Policies = AllIssuancePolicy Critical = FALSE [AllIssuancePolicy]
OID = 2.5.29.32.0[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
Based on this the Root CA should be valid for ten years on renewal. However when I renewed the certificate for the Root Ca using the same key pair I get the cert with validity from 19/05/2008 till 26/02/2017. Even if i renew the certificate with a new key
pair the validity starts from today's date till 26/02/2017. I am not sure from where is it picking the settings. Also I tried changing the capolicy.inf and changing the Keylength it seems the Ca does not pick anything I change in the capolicy.inf
file. Any idea why this could be happening ?