I'm trying to request a new Bitlocker DRA certificate from my internal CA. The template is set to two years, as shown here Template
I'm trying to request a new certificate via the Certificates MMC via "Personal > Certificates > All Tasks > Request New Certificate". My two year Bitlocker DRA certificate appears with a 2 year validity period as depicted here. Enrollment
But when I approve the request the certificate is always only valid for 1 year Certificate
This is because the CA that is issuing the certificate has it's signing certificate set to expire 6/29/2020. The certificate cannot be issued with an expiration date past the issuing CA's certificate.
If you run certutil -getreg CA\ValidityPeriod you will see "Years"
If you run certutil -getreg CA\ValidityPeriodUnits you will see the default value of 2
To increase this to ten years run certutil -setreg CA\ValidityPeriodUnits 10 and press ENTER.
Then run restart-service certsvc from an administrative Powershell console.
