I am in the process to setup a two-tier PKI Hierarchy using Windows 2008 (one offline root CA and one issuing CA). One of the most important tasks is to determine the certificate and CA validity period before installation. I want to make the CA certificate validity period twice as long as the maximum validity period of any CA-issued certificates. I am not too clear on steps how to set this up, please review configuration below and see if these steps are correct or not.
The goal is allow the issuing CA to issue certificates with max validity period of 5 years
- Starting from the top with the Root CA, use the capolicy.inf to set RenewalValidityPeriodUnits=20 (This will set the lifetime of the root CA to 20 years)
- Run these commands on the root CA: certutil -setreg CA\ValidityPeriodUnits 10, certutil -setreg CA\ValidityPeriod "Years" (This will set max validity period for any certificates issued by this Root CA to 10 years)
- Install the Issuing CA and use the capolicy.inf to set RenewalValidityPeriodUnits=10 (This will set the lifetime of the issuing CA to 10 years). This is the step I am not sure about, the issuing CA will get the certificate from the root CA for validity period of 10 years (configured on step 2 above), can I set the validity period on the issuing CA same as the validity period of the certificate issued by the RootCA, is this case 10 years?)
- Run these commands on the issuing CA: certutil -setreg CA\ValidityPeriodUnits 5, certutil -setreg CA\ValidityPeriod "Years" (This will set max validity period for any certificates issued by the issuing CA to 5 years)
Thank you!