Hi All,
The PKI infrastructure includes the following elements:
- All CAs are Windows Server 2012 R2 member servers.
- Online Enterprise Root CA: RootCA [RSA (4096 bit)].
- Enterprise Subordinate CA SubCA01 and SubCA02 are both directly subordinated toRootCA.
- CAs Details
4.1. RootCA: RSA, 4096 bit. Valid for 20 years.
Subordinate Certification Authority certificate template (SubCA Certificate Template) has 5 years of validity.
4.2. SubCA01 and SubCA02: RSA, 4096 bit. Security certificate is based on the SubCA Certificate Template.
But the certificate is valid for 2 years, although it is using the SubCA Certificate Template which sets the validity of 5 years. - The re-pro of the brand new test domain with 2-tier PKI infrastructure generated the same issue.
Questions:
- How to enforce that the SubCA-based certificate is valid for 5 years on SubCA01 andSubCA02?
- What is the potential cause of the under provisioning of the certificate validity period? Or where to look for the investigation?
- Is it possible to renew with the same key the certificate for the SubCA, but with longer validity period? Should any other certificates be re-issued except for the SubCA certificate for the subordinate CAs?
- Is there a way to configure the SubCA template so that the SubCA template based certificate is issued for the enterprise new subordinate CA with the expected validity period?
- Can the SubCA certificate be renewed automatically and how to configure it if possible?
- Can the SubCA certificate validity period be longer than the validity period of the Root CA?
Tons of thanks in advance for your great help and attention!!!