3

I have a client that is using self-signed certificates (to sign InfoPath forms). The certificates are created using the certificate service built into Windows 2008. They said the certicates always expire after one year. How does one chage the expiration date on a certificate or do they have to issue new ones? (Is one year the default in the template)?

I think the only tools available to them are the ones windows comes with: certmgr, certutil, & certreq. (Am I missing any?)

Also, The certificate is a Code Signing Certificate, if that makes a difference?

Booji Boy
  • 295
  • 2
  • 5
  • 11

2 Answers2

4

In general you can't change an expiry on an existing cert. You can possibly reissue a new one with a new expiry date (possibly more than a year in the future, depending on your tools, of course), but you can't change one that's already been issued.

pjz
  • 10,595
  • 1
  • 32
  • 40
2

There is a Microsoft Knowledge Base article about this question:

How to change the expiration date of certificates that are issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority

You can't change the expiration date of an existing certificate. But you can change the default validity period for the Certificate Authority.

This article describes how to change the validity period of a certificate that is issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority (CA).

By default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use. There may be situations when you have to override the default expiration date for certificates that are issued by an intermediate or an issuing CA.

and:

A CA cannot issue a certificate with a longer validity period than its own CA certificate.

splattne
  • 28,508
  • 20
  • 98
  • 148