Extend MS Exchange Server’s Certificate life

On the Certification Authority Server open Certification Authority Console (MMC)

Right click on Certificate Templates and click Manage

IN certificate templates console right click on Web Server and click Duplicate template

Select Windows Server 2003 Enterprise

Enable “Allow private key to be exported”

Under security tab Select Enroll for the Authenticated users

Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.

Web Server V2 is on top

Let’s check it on Certserv IIS

Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.

So the CA certificate must be set to longer then the client’s requested Certificate limit.

Certification Authority Issuing Certificate validity period extending

To change the Validity Period for the Root CA you can configure a CAPolicy.inf. To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the C:\Windows directory,:


Signature= “$Windows NT$”




After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate

When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes

Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.

Click Ok

After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates

Note: I created another template with 30 years expiration date this time after I created the CA policy for 30 years too.

Now In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.

And here we go, after requesting the certificate from the server I got 30 years valid certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *