我已在 2008 R2 上将 Microsoft 独立 CA 设置为根 CA。我正在尝试设置从属企业 CA。我生成了证书请求,并将其提交给根 CA。然后,我运行以下命令将到期日期设置为 20 年(请求 ID 为 5):
certutil -setattributes 5 "ValidityPeriod:Years\nValidityPeriodUnits:20"
然后,我批准了请求,但失败了。请求状态代码为:
The specified time is invalid. 0x8007076d (WIN32: 1901)
请求处置消息是:
Denied by Policy Module 0x8007076d, The requested validity period is invalid.
Confirm that the validity period or expiration data and time specified in the request
does not extend beyond the validity period of the CA certificate, the certificate
template, and the CA. The validity period of the CA can be verified by running the
following commands: certutil -getreg ca\validityPeriod
& certutil -getreg ca\ValidityPeriodUnits
CA 证书的有效期为 40 年(2052 年到期)。由于这是独立 CA,因此模板条件不适用。这些命令的结果分别为 Years 和 1。
看来我需要更改 CA 的有效性期限和有效性期限单位。但是,我想将请求的默认有效期保留为 1 年。有没有办法设置最大有效期和默认有效期,或者我必须更改它,颁发证书,然后再改回来?
答案1
All certificates that the stand-alone CA issues have the lifetime specified by the
values of the ValidityPeriod and ValidityPeriodUnits registry entries. Therefore, if
you want to issue certificates with different lifetimes, you must deploy either
enterprise CAs, multiple stand-alone CAs, or third-party CAs.
这似乎仍然有效,根据 social.technet.microsoft.com 上最近的一篇文章。
我最终改变了注册表值,颁发了证书,然后又将其改回来。