Change expiration date of certificates - Windows Server (2024)

Table of Contents
In this article Summary The expiration date of the CA certificate Change expiration date of certificates issued by CA FAQs
  • Article

This article describes how to change the validity period of a certificate that is issued by Certificate Authority (CA).

Applies to: Windows 10 - all editions, Windows Server 2012 R2
Original KB number: 254632

Summary

By default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use. There may be situations when you have to override the default expiration date for certificates that are issued by an intermediate or an issuing CA.

The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and Enterprise CAs. For Enterprise CAs, the default registry setting is two years. For Stand-alone CAs, the default registry setting is one year. For certificates that are issued by Stand-alone CAs, the validity period is determined by the registry entry that is described later in this article. This value applies to all certificates that are issued by the CA.

For certificates that are issued by Enterprise CAs, the validity period is defined in the template that is used to create the certificate. Windows 2000 and Windows Server 2003 Standard Edition do not support modification of these templates. Windows Server 2003 Enterprise Edition supports Version 2 certificate templates that can be modified. The validity period defined in the template applies to all certificates issued by any Enterprise CA in the Active Directory forest. A certificate that is issued by a CA is valid for the minimum of the following periods of time:

This applies to the Enterprise CA. Templates supported by Windows 2000 and Windows Server 2003 Standard Edition cannot be modified. Templates supported by Windows Server Enterprise Edition (Version 2 templates) do support modification.

For an Enterprise CA, the validity period of an issued certificate is set to the minimum of all the following:

  • The registry validity period of the CA (for example: ValidityPeriod == Years, ValidityPeriodUnits == 1)
  • The template validity period
  • The remaining validity period of the signing certificate of the CA
  • If the EDITF_ATTRIBUTEENDDATE bit is enabled in the policy module's EditFlags registry value, the validity period specified through the request attributes (ExpirationDate:Date or ValidityPeriod:Years\nValidityPeriodUnits:1)

Note

  • The ExpirationDate:Date syntax was not supported until Windows Server 2008.
  • For a stand-alone CA, no templates are processed. Therefore, the template validity period does not apply.

The expiration date of the CA certificate

A CA cannot issue a certificate with a longer validity period than its own CA certificate.

Note

The Request Attribute name is made up of value string pairs that accompany the request and that specify the validity period. By default, this is enabled by a registry setting on a Standalone CA only.

Change expiration date of certificates issued by CA

To change the validity period settings for a CA, follow these steps.

Important

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

  1. Click Start, and then click Run.

  2. In the Open box, type regedit, and then click OK.

  3. Locate, and then click the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

  4. In the right pane, double-click ValidityPeriod.

  5. In the Value data box, type one of the following, and then click OK:

    • Days
    • Weeks
    • Months
    • Years

  6. In the right pane, double-click ValidityPeriodUnits.

  7. In the Value data box, type the numeric value that you want, and then click OK. For example, type 2.

  8. Stop, and then restart the Certificate Services service. To do so:

    1. Click Start, and then click Run.

    2. In the Open box, type cmd, and then click OK.

    3. At the command prompt, type the following lines. Press ENTER after each line.

      net stop certsvcnet start certsvc

    4. Type exit to quit Command Prompt.

Change expiration date of certificates - Windows Server (2024)

FAQs

How do I change my certificate expiration date? ›

The certificate expiration date is encoded in its body and cannot be changed. To extend the secure connection, it is necessary to replace the expiring certificate on hosting server by a new one with an extended validity period.

Read On
How to extend SSL certificate expiration date in Windows server 2012 r2? ›

Renew an SSL Certificate IIS 8 & 8.5 Windows Server 2012
  1. Open the Internet Information Services (IIS) Manager. ...
  2. In the IIS Manager, select the main server node on the top left under Connections and double-click the Server Certificates.
  3. From the Actions pane on the top right, select Create Certificate Request.

Discover More Details
How do I change certificates in Windows server? ›

Replacing the Server Certificate
  1. Go to Control Panel > System > Security > SSL Certificate & Private Key.
  2. Go to Server Certificate.
  3. Click Replace Certificate. The Replace Certificate window appears.
  4. Select an option. Option. ...
  5. Click Next. A configuration window appears.
  6. Perform any of the following actions: ...
  7. Click Apply.

Continue Reading
How do I change the validity period of my CA certificate? ›

Change expiration date of certificates issued by CA
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate, and then click the following registry key: ...
  4. In the right pane, double-click ValidityPeriod.
  5. In the Value data box, type one of the following, and then click OK:
Feb 25, 2024

See Details
How to check certificate expiration date in Windows Server? ›

In the XIA Configuration Server, open the Windows machine item. Navigate to Security > Machine Certificates and select a certificate to check the expiry date.

Find Out More
How do I update my SSL certificate on my server? ›

How to Renew an SSL Certificate
  1. Set reminders for SSL expiration.
  2. Generate a Certificate Signing Request.
  3. Purchase and activate your new SSL certificate.
  4. Complete domain control validation.
  5. Install your new SSL certificate.
Apr 3, 2024

Tell Me More
How do I renew my server certificate in Windows Server 2016? ›

Renew SSL Certificate IIS 10 Windows Server 2016
  1. Open the Internet Information Services (IIS) Manager. ...
  2. In the IIS Manager, select the main server node on the top left under Connections and double-click the Server Certificates.
  3. From the Actions pane on the top right, select Create Certificate Request.

Show Me More
How to renew SSL certificate on Windows Server 2008 r2? ›

Renew IIS 7 Windows 2008 SSL Certificate
  1. From the Actions pane on the top right, select Create Certificate Request. ...
  2. In the Request Certificate wizard, provide the following information on the Distinguished Name Properties page and click Next.
  3. Select Microsoft RSA SChannel and 2048, and then click Next.

Explore More
How to check SSL certificate expiration date in server? ›

How to Use the Online SSL Certificate Checker
  1. Step 1 – Enter a hostname or IP address. Enter your website's or server's public hostname in the input field. ...
  2. Step 2 – Click the button. Click the button to check the SSL certificate expiration date. ...
  3. Step 3 – Sign up for free SSL expiration notifications and other SSL alerts.

Continue Reading
How to update SSL certificate in Windows Server 2012? ›

  1. Step 1: Install the SSL Certificate. Go to Start > Administrative Tools > Internet Information Services (IIS) Manager. ...
  2. Step 2: Bind SSL certificate to the web site. From the Connections column on the left, expand the Sites folder. ...
  3. Step 3: Verify certificate installation.

Show Me More

How do I manage Windows certificates? ›

To open Certificate Manager, type run into the Windows 10 Cortana search bar and hit Enter. Once the run window pops up, type certmgr. msc and hit enter. You will be presented with the Certification Manager window and will be viewing certificates stored on the user account.

Read The Full Story
How do I delete expired certificates in Windows Server? ›

Open pkiview. msc, right-click on Enterprise PKI node and select Manage AD Containers. Switch to "Certification Authorities" tab and remove expired CA certs from there and leave the most recent CA cert. Hope this helps with your query!

See Details
How do I extend my CA certificate? ›

Open the Certificate Authority utility in Administrative Tools. Right click the Root CA name and select All Tasks. Select Renew CA Certificate.

Get More Info Here
How long will the certificate validity period last? ›

The validity period is the length of time the certificate can be used to create secure connections between your web server and your site visitors' web browsers. The maximum validity period is 13 months. The subscription period is the length of time you've paid for the use of the SSL certificate.

Continue Reading
What is certificate validity period? ›

Definitions: The period of time during which a certificate is intended to be valid; the period of time between the start date and time and end date and time in a certificate.

View More
How can I edit my certificate online? ›

How to design and edit a certificate online using Certifier for free
  1. Step 1: Sign up for Certifier. ...
  2. Step 2: Go to Designs and choose the credential format. ...
  3. Step 3: Select your preferred certificate design template. ...
  4. Step 4: Edit your certificate online. ...
  5. 4.1 Remove unnecessary graphic elements from the template.

View Details
How do I renew my expired digital certificate? ›

How to renew your SSL certificate?
  1. Step 1: Generating a New CSR (Certificate signing request) This is the first step to renew a certificate. ...
  2. Step 2: Choose the right SSL certificate for your website. ...
  3. Step 3: Validate your SSL certificate. ...
  4. Step 4: Install your new SSL certificate.

See More
Does renewing a CA certificate invalidate the old one? ›

Beyond labeling that relationship, there is no operational correspondence between the "original" and "renewed" certificates. So no, renewing a cert doesn't revoke the old one, and you shouldn't revoke the old one--just let it expire. Only revoke a cert if you suspect its private key has been compromised.

Learn More
What happens if I don't renew my SSL certificate? ›

An SSL certificate is vital to maintaining trust between your website and your clients. Using an expired certificate makes clients vulnerable to cyber attacks, which can break their trust.

Discover More Details
Top Articles
The Credit Score Formula Is Changing — Here's What That Means For You
BANK SERVICE CHARGES
60 Minutes - Episodes, interviews, profiles, reports and 60 Minutes Overtime - CBS News
Avocado Oil Mayonnaise
Single White Female | Rotten Tomatoes
The First Wimbledon Women's Singles Champion: Maud Watson
Top 57 Slang For Trick – Meaning & Usage - FluentSlang
minneapolis household items "fabric" - craigslist
Craigslist Apt For Rent By Owner In Harrison Ny
Rod Woodruff Net Worth
Bildmagazin 24. Dezember 1940 Unterhaltung Paulette Goddard im 2. Chor Sehr guter Zustand • 23.56 EUR
Paulette Goddard Biography, Age, Length, Male, Power, Family
Latest Posts
Simplii vs Tangerine 2024: Online Banks Comparison -$$ Bonus
The Mister Finance recommendation - Wayfair credit card review
Article information

Author: Frankie Dare

Last Updated:

Views: 6192

Rating: 4.2 / 5 (53 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.