[Deployment] 如何延長Windows CA 所發放的憑證的有效年限
這篇文章是研究如何在Windows Server 2008 CA憑證中心利用建立憑證範本的方式來延長使用者憑證的有效期限.
(複製憑證範本在Windows server 2008 標準版是沒有被支援的,若要使用範本功能您必須要是Windows server 2008 企業版)
For certificates that are issued by Enterprise CAs, the validity period is defined in the template that is used to create the certificate. Windows 2000 and Windows Server 2003 Standard Edition do not support modification of these templates. Windows Server 2003 Enterprise Edition supports Version 2 certificate templates that can be modified.
How to change the expiration date of certificates that are issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority
http://support.microsoft.com/kb/254632/en-us
1.首先要去更改伺服器上的機碼
先去修改Windows Server CA 主機上的註冊機碼.位置如下
Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>接著我們把限制年限改成5年. 所以妳要先到[ValidityPeriod]機碼下選擇[Years],因為我們是以年限來決定憑證效用期限.
In the right pane, double-click [ValidityPeriod].
In the Value data box, type one of the following, and then click OK:
[Days][Weeks][Months][Years]
How to change the expiration date of certificates that are issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority
接著到[ValidityPeriodUnits. ],我們把數值改成5,因為我們這邊要延長憑證為5年.
In the right pane, double-click ValidityPeriodUnits.
In the Value data box, type the numeric value that you want, and then click OK. For example, type 5.
2. 到一台有安裝Windows CA 憑證中心的電腦管理介面去新增一個使用者憑證的範本.
3. 在新的憑證副本中定義憑證的有效期間,然後發佈這個憑證範本.
4. 當Client端在申請憑證時就可以參照到您所發佈的新的憑證範本.
5. 新的憑證已經被延伸為五年才會到期.
詳細資訊請參考下列網站:
CA到期後,如何延長期限?
http://blogs.technet.com/b/csstwplatform/archive/2010/01/21/windows-2003-ca.aspx
Extending Root CA Certificate lifetime