ADCS 2008 R2 – y0av. With a zero.

The purpose of this step by step article is to create user certificates with a validity period of 3 years instead of the default one year.

Since all users will visit the IT services desk to have the certificates installed on their mobile devices, we will use the “Enroll on behalf” option in ADCS 2008R2.

On my next article, we will see how to configure Forefront TMG 2010 to use Kerberos Constrained Delegation with Exchange Server 2010 SP1.

Note – not all steps are required in all organization. See what fits you best.

Logged on as the Domain Administrator, open the User certificate MMC Snap-in:

Right-click on the Personal certificate store, and choose “All tasks”, “Request new certificate”:

In the first window click ‘Next’:

Choose your enrollment policy:

In the certificate template screen choose “Enrollment Agent” and click “Enroll”:

This is what you should see:

The new certificate is in your personal certificate store and you can now enroll certificates on behalf of other users:

To assign this privilege to other users, right-click your personal certificate store, choose “All Tasks”, “Advanced Operations”, “Enroll On Behalf Of”:

Click “Next” on the first screen:

Choose your Enrollment policy:

Click “Browse” to choose the enrollment agent certificate you just created:

Choose your certificate and Click “OK”:

Click “Next”:

Choose the “Enrollment Agent” certificate template again, and click “Next”:

Click “Browse” to select the user you would like to enroll the certificate to:

Here I chose one user from the helpdesk staff:

It looks like this, now Click “enroll”:

And now you can choose whether to enroll another user or finish the operation:

Now you can see that the IT Helpdesk users 1 and 2 have also the ability to enroll certificates on behalf of users:

That’s done; let’s create the certificate template for the mobile devices:

Open your CA console, expand to “Certificate templates”, then right click it and choose “Manage”:

This will open the certificate templates snap-in. Scroll down to the User certificate template and choose “Duplicate Template”:

It will ask you which template would you like to create – I normally choose Windows Server 2008:

Once you press OK, the new certificate template is opened. Name your certificate template and change the certificate validity period. I think 3 years is more than enough:

Switch to the “Issuance Requirements” tab and change the following:

· Check the “This number of authorized signatures” box and type ‘1’ in the box.

· Make sure that the policy type required in the signature is “Application policy”.

· Change the Application policy to “Certificate Request Agent” from the drop down menu.

· Click OK to close the template.

This is just half way. You also need to start the registry editor and go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA Name>.

There, look for the value “ValidityPeriodUnits” Change it from 2 (default) to as high as you want. Note that you can only set the validity period on the template to as much as it’s set on the registry (i.e. even if you set the certificate template to 10 years and the registry is set to 3, you will only be able to extend the validity period to 3 years). This change does not affect predefined templates.