Your network contains an Active Directory domain named contoso.com. The network contains a
server named Server1 that runs Windows Server 2012. Server1 has the Active Directory Certificate
Services server role installed. Server1 is configured as an offline standalone root certification
authority (CA).
You install the Active Directory Certificate Services server role on Server2 and configure the server as
an enterprise subordinate CA.
You need to ensure that the certificate issued to Server2 is valid for 10 years.
What should you do first?
A.
Modify the subordinate CA certificate template.
B.
Modify the registry on Server2.
C.
Modify the registry on Server1.
D.
Modify the CAPolicy.inf file on Server2.
E.
Modify the CAPolicy.inf file on Server1.
D.
http://www.sysadmins.lv/blog-en/how-to-change-ca-certificate-validity-period.aspx
That article explicitly states to use certutil for a Subordinate CA, and the certutil commands simply set registry keys:
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod Years
net stop certsvc && net start certsvc
So ‘C’ is correct.
Why not E?
“Root CA certificate validity can be set only during AD CS role installation. It is not possible to change root CA certificate validity without certificate renewal. If your root CA certificate is valid for 5 years (default) and you want to increase this value you must create (or edit existing) CAPolicy.inf file and place it to system root folder (by default C:\Windows). CAPolicy.inf must contain at least this information:”
The certificate Server2 is getting will be coming from Server1 before Server1 is powered off, and it states the default of 5 years can not be changed and will need to be edited later in the CAPolicy.inf
I’ve done this in anger and I used D) modify the CAPolify.inf file to point to a cloned/modified CA template that’s valid for more than the default 5 years.
Answer is C, according to
http://www.aiotestking.com/microsoft/you-install-the-active-directory-certificate-services-server-role-on-server2-and-configure-the-server-as-an-enterprise-subordinate-c/
Answer is D
Billy is rigth.
Change CAPolicy.inf before install, not after.
Type certutil -getca. Look for ValidityPeriodUnits.
You can reduce as well.