Your network contains an Active Directory domain named contoso.com.
The network contains a server named Server1 that runs Windows Server 2012.
Server1 has the Active Directory Certificate Services server role installed.
Serve1l is configured as an offline standalone root certification authority (CA).
You install the Active Directory Certificate Services server role on Server2 and configure the server as an enterprise subordinate CA.
You need to ensure that the certificate issued to Server2 is valid for 10 years.
What should you do first?
A.
Modify the registry on Server1.
B.
Modify the registry on Server2.
C.
Modify the CAPolicy.inf file on Server2.
D.
Modify the subordinate CA certificate template.
E.
Modify the CAPolicy.inf file on Server1.
Explanation:
The issuing CA is an offline standalone CA so templates do not apply here (normally with a normal CA you would simply copy the certificate template
and then modify it, create a certificate from that new template and then issue it to Server2).
But since the issuing CA is a standalone, offline CA (standalone CAs do not use templates), we will simply power the CA server on modify the registy
settings using certutil.exe
We will then export the new, modified certificate to Server2.
The commands we need to modify the registry are:
certutil -setreg ca\\ValidityPeriod “Years”
certutil -setreg ca\\ValidityPeriodUnits “5”
http://technet.microsoft.com/en-us/library/hh831348.aspx
http://marckean.wordpress.com/2010/07/28/build-an-offline-root-ca-with-a-subordinate-ca/
Point 4. Setup the root CA to issue certificates with an expiry date of 10 years (will issue to the Sub CA for 10 years)
Change the following registry path on the Root CA -HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\CertSvc\\Configuration\\Root-CA
\\ValidityPeriodUnits
Change the REG_DWORD decimal value to 10.
This changes it to 10 years, so when the Sub CA gets a certificate, it won’t expire for another 10 years.
Modify this entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrebtControlSet\Services\CertSvc\Configuration\AdatumRootCA\ValidityPeriodUnits
On the off-line Root CA