If you design a Certificate Server hierarchy, the certificate of the root certification authority (CA) container will have a lifetime of five years. Subordinate CA certificates will have a lifetime of one year, which will cause problems with the use of X.509 V3 certificates.
If you design a Certificate Server hierarchy, you must first change a registry key on the root CA computer to change subordinate certificate lifetimes to five years. You must change the registry entry on the root CA computer before you set up subordinate CA certificates. Failure to do so will result in serious problems with your subordinate CA certificates.
To make this change, add the following values to the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\
Configuration\CERT_SERVER_NAME
| Value | Data Type | Description |
|---|---|---|
| ValidityPeriod | Years | Specifies the validation period; can also be set to Hours or Days. |
| ValidityPeriodUnits | dword:00000005 | Specifies desired number of units of time for validation period in hexadecimal format. |
Note Do not assign end users to the root CA certificate in a Certificate Server hierarchy. End users must be assigned to subordinate CA certificates. Certificate Server considers KM server to be another end user.
For more information on Certificate Server hierarchies, download the white paper Hier3.exe from the Microsoft Web site at http://support.microsoft.com/support/downloads/Lnp279.asp.