We are running a Enterprise CA under Windows 2008 R2. I configured Computer Certificate Templates and configured Autoenrollment, everything is working as expected except the validity period of the Certificates. In the template i configured 4 years since computers are to be changed every 3 years no reenrollment has to occur and there should not be a problem with 802.1X in the computers lifetime. The CA enrolles all certificates with a validity period of 2 years, so i found that
certutil -getreg ca\ValidityPeriod
certutil -getreg ca\ValidityPeriodUnits
is 2 years, that should be the reason.
So when does the validity period configured in the template will be used?
What are the rules for the validity period? I assume
1. Expiration date cannot be later than CA certificate expiration
2. Template Validity cannot be longer than "ca\ValidityPeriodUnits" setting
3. If Template Validity period is shorter than "ca\ValidityPeriodUnits" the template setting is used
Is that right or are there more conditions?