Your network contains an Active Directory domain named contoso.com. The network
contains a server named Server1 that runs Windows Server 2012. Server1 has the Active
Directory Certificate Services server role installed. Server1 is configured as an offline
standalone root certification authority (CA).
You install the Active Directory Certificate Services server role on Server2 and configure the
server as an enterprise subordinate CA.
You need to ensure that the certificate issued to Server2 is valid for 10 years.
What should you do first?
A.
Modify the subordinate CA certificate template.
B.
Modify the registry on Server2.
C.
Modify the registry on Server1.
D.
Modify the CAPolicy.inf file on Server2.
E.
Modify the CAPolicy.inf file on Server1.
Default valid period of the subordinate CA certificate template is 5 years, increase to 10 years is need. And this is the answer.
MS in all official exam preparation materials, exam questions, writes that if need is to change issued certificate parameters the preferred action should be
1. make a copy of desired certificate template
2. change parameters in copied template
3. issue the certificate template
4. issue a certificated based on the modified template
I’m confused. The standalone root CA certificate validity periods of nested certificates could be changed in CA server’s registry. I haven’t found such solution in all official MS materials I have.
see here:
https://technet.microsoft.com/en-us/library/cc962064.aspx
a standalone root CA don’t support templates.
there are two ways of setup certificate validity period. One during the initial configuration of CA service, second one is modify of CA server’s registry.
I checked it out on my lab.
http://www.techieshelp.com/subordinate-ca-increase-certificate-validity/
C
So the consensus would be C, right ?
After reading the link provided C sounds about right.
is C right?!?
The link provided by Pio shows how to increase the validity period of the Enterprise Subordinate CA. In our scenario that is Server2.
Thus, the Answer is B.
From the link provided Pio:
“I needed to increase the validity period for my Subordinate CA. To do this I had to turn on my Offline Root CA (In this case, Server1) and issue the following commands.
certutil -setreg ca\ValidityPeriod “Years”
certutil -setreg ca\ValidityPeriodUnits “5”
The steps provided talk about getting the new certificate from the Root CA.
This should be C
the requirement is –
You need to ensure that the certificate issued TO Server2 is valid for 10 years
The certificate issued TO Server2 is From the Root CA
Edit Registry on root CA using certutil (as whoa explained; although use certutil -setreg ca\ValidityPeriodUnits “10” )
Export cert from Root CA
Import cert to subordinate CA
Turn off Root CA