VSS KB Articles

DFS management console throws a “the value does not fall within the expected range”
1/13/2018
Windows Server DFS management console throws a “the value does not fall within the expected range”


How to change network profiles on Window 2012R2 Server
1/12/2018
After a restart of one of our servers (a Windows Server 2012 R2), all private connections become public and vice versa. Things like pinging and iSCSI stopped working, and after some investigation it turned out this was the cause.


How to create Self-Signed Certificates for Hyper-V Replication
1/9/2018
How to create Self-Signed Certificates for Hyper-V Replication


Hyper-V virtual machine may not start, and you receive a “‘General access denied error’ (0x80070005)” error message
1/9/2018
Hyper-V virtual machine may not start, and you receive a “‘General access denied error’ (0x80070005)” error message


How to Change/Extend the Expiration Date of Certificates
1/9/2018
Need to change/extend the subordinate CA certificate validity,CA certificate and the template is valid for 5 years but certificates that are issued is showing only 2 years validity.


    

1/9/2018
How to Change/Extend the Expiration Date of Certificates

Symptoms

1. Need to change/extend the subordinate CA certificate validity

2. CA certificate and the template is valid for 5 years but certificates that are issued is showing only 2 years validity.

3. Certificates issued by the CA should be valid only for  3 months irrespective of the template validity or CA validity.

Cause

The validity of a certificate is dependant on below values:
        a. Remaining lifetime of Issuing CA certificate.
        b. Validity as specified in the certificate template.
        c. Registry entries on the CA as described in
http://support.microsoft.com/kb/254632/ Jump

Issued certificate will have the least of above values as the certificate validity.

Resolution

1. Need to change/extend the subordinate CA certificate validity

   On the Root/Parent CA check the below registry entries.

              HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

              ValidityPeriod

              ValidityPeriodUnits

   ValidityPeriod can have "Days" "Weeks" "Months" "Years" as values

   ValidityPeriodUnits can be an integer as per requirement.

   Restart the certificate services on the Root/Parent CA.

   Renew the Subordinate CA certificate.

2. CA certificate and the template is valid for 5 years but certificates that are issued is showing only 2 years validity. Need to have certificates issued based on template validity.

  Check the registry key on the Issuing CA and update the values as required.

              HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

  ValidityPeriod can have "Days" "Weeks" "Months" "Years" as values. Set it to "Years"

  Set the ValidityPeriodUnits equivalent to the CA certificate validity.

  Restart the certificate services on the Issuing CA.

  Issue/Renew the certificate.

3. Certificates issued by the CA should be valid only for a 3 months irrespective of the template validity or CA certificate validity. 

  On the Issuing CA, open registry.

              HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

  Set the ValidityPeriod to "Months"

  Set the ValidityPeriodUnits to 3.

  Restart the certificate services on the Issuing CA.

  Issue/Renew the certificate.