1

I'm looking for a way to update the Validity period of an existing CA Template, do you know if this is possible using certutil, any other command or programatically with Powershell or C#.

The CA is running on Windows Server 2008 R2.

My goal is run a script on a daily basis to update the validity period for a specific template in order that any request enrolled using that template expires on a specific date, let's say Dec 31st, 2016.

Thanks,

m0dest0
  • 849
  • 4
  • 17
  • 36

3 Answers3

2

Assuming you are running an AD CS Enterprise CA, certificate templates are stored in Active Directory, located in the Configuration NC.

(As noted by CryptoGuy in the comments, this approach is not supported by Microsoft - you really should just be using the Certificate Templates mmc, certtmpl.msc, for this task)

To retrieve a certificate template:

$CertTemplateParams = @{
    LDAPFilter = '(&(objectClass=pKICertificateTemplate))'
    SearchBase = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,{0}' -f ([adsi]'LDAP://RootDSE').configurationNamingContext[0]
    Properties = 'pKIExpirationPeriod'
}
$Templates = Get-ADObject @CertTemplateParams

Filter the template you need:

$UserTemplate = $Templates |Where-Object { $_.Name -eq "User" }

The pKIExpirationPeriod attribute represents a 64-bit FILETIME struct, but you can convert it to a timespan with [BitConverter]::ToInt64():

# File time type counts in 100-nanosecond intervals, we need seconds
$Validity = New-TimeSpan -Seconds $([System.BitConverter]::ToInt64($UserTemplate.pKIExpirationPeriod, 0) * -.0000001)

Now add some time to the timespan:

$Validity.Add($(New-TimeSpan -Days 365))

Convert it back to a 64-bit byte array:

$NewExpirationPeriod = [System.BitConverter]::GetBytes($($Validity.TotalSeconds * -10000000))

Use Set-ADObject to change the template object:

Set-ADObject -Identity $UserTemplate.objectGuid -Replace @{pKIExpirationPeriod = $NewExpirationPeriod}
Community
  • 1
  • 1
Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
  • Some time ago I had a long conversation with Windows PKI team about similar question. They explicitly said that they do not support any certificate template setting (except ACL) outside of Certificate Templates MMC. There are a lot of dependencies and if you do not follow them (and you do not), it may lead to unpredicted results. Even if you know how, Microsoft do not recommend this. In addition the whole design in the question doesn't look good at all. – Crypt32 Nov 05 '15 at 05:30
  • @CryptoGuy I wouldn't use a timespan myself, but on the other hand wanted to show it step by step. It works though, I've tested it in my PKI lab. Does "[nothing] outside of Certificate Templates MMC" also mean that no (supported) programmatic interfaces exist, or is it like GPO where you at least have `IGroupPolicyObject` if you really need to? – Mathias R. Jessen Nov 05 '15 at 11:25
  • It would work anyways. No offense, but...you did one thing that is unsupported: modified version 1 template (User), which is not allowed for modification. Another thing, you did not increment tamplate's minor version after setting modification. And here is an excerpt from my conversation with Microsoft "There are inherent inter-dependencies between various template attributes which are enforced via visual clues and complex logic from the template snapin." – Crypt32 Nov 05 '15 at 13:31
  • @CryptoGuy I've been googling but can't find any reference to this unsupported feature, I'd like go in depth on this issue so please, can you share some links or documentation? Thanks. – m0dest0 Nov 08 '15 at 01:19
  • 1
    @m0dest0 you won't find any documentation stating that specifically, the fact is that the certificate templates mmc is the only supported way. – Mathias R. Jessen Nov 08 '15 at 02:07
  • 1
    I don't have official reference, because this information I got through private conversation with Windows PKI team. You may need to contact Microsoft Support Services to get official confirmation. – Crypt32 Nov 08 '15 at 09:56
  • Seems exist an issue when setting the new expiration date, if I write to the console the value of $Validity before to add the days, it displays the number of days I have set on the templates MMC. However if I run the the last three lines when the date is modified and then try to display its new value coming from the template, I got this error just in the line where $Validity is loaded. `New-TimeSpan : Cannot bind parameter 'Seconds'. Cannot convert value "441139571445.046" to type "System.Int32". Error: "Value was either too large or too small for an Int32."` – m0dest0 Nov 08 '15 at 19:09
  • @MathiasR.Jessen, After the update if I open templates MMC, I see a big value in Hours (previously it was shown in Days) so I wonder if I should add some parameter when the new expiration date is set to force the update using Days. Thanks, – m0dest0 Nov 08 '15 at 19:10
  • I'm accepting the reply of Mathias because it explains in detail how I should proceed, there is a little issue with the dates but it is additional to the original request. – m0dest0 Nov 11 '15 at 18:47
0

http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html

According to this, you can change the CA Lifetime or the Maximum validity period using certutil. I assume that your template expiration is limiting you. Perhaps create a new template with a longer expiration date?

Jeter-work
  • 782
  • 7
  • 22
  • The above link explains the way to update the lifetime of the Root CA, not for a CA template. I have edited the question to specify my goal. Thanks – m0dest0 Nov 04 '15 at 23:35
  • I think you can replace the template with one that has an extended validity, thus allowing future generated certificates to have a longer validity period. – Jeter-work Nov 05 '15 at 00:21
  • Please keep in mind that this is about a way of change the validity period using a command or programmatically. Thanks. – m0dest0 Nov 05 '15 at 00:55
  • The short answer is that the Version 1 templates are not modifiable by any method. The process is to duplicate it, creating an version 2 template, and modify the duplicate template, then supersede the original with the duplicate. I'm fairly certain certutil provides these capabilities. [technet](https://technet.microsoft.com/en-us/library/cc725621(v=ws.10).aspx ) – Jeter-work Nov 05 '15 at 15:54
  • 1
    certutil do not offer capabilities to duplicate/modify certificate templates. – Crypt32 Nov 05 '15 at 16:09
0

To calculate the 

$NewExpirationPeriod = [System.BitConverter]::GetBytes($([Int64]$Validity.TotalSeconds * -10000000))
Boken
  • 4,825
  • 10
  • 32
  • 42
Dominik
  • 1