This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 51%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Here's one for the ages. I built a new subCA from a base Server 2019 build. I have done this several times in the past. I issued it a 10year cert from the RootCA. So far everything is good. I configured certificates to be valid for two years. Now when we request certificates using the default IPSec (Offline request) template it issues certificates for 2yrs and 10 minutes. It's driving me nuts. I currently have a case open with Microsoft and they have no idea what it is.
Anyone that can help me figure this out? I've hit a wall. I have exhausted all my avenues and apparently Microsoft's...
Thanks,
Chris
It is a clock skew. CA adds it to all signed stuff, such as certificates and CRLs to allow clocks between enrollment client and CA server to be out of sync for a bit: +/- 5mins. 5 mins is not a random value, it is derived from Kerberos threshold. The behavior you are observing is expected, correct and by design. You should not do anything with it.
Thanks @Vadims Podāns . I did see that while doing research regarding the clock skew. Normally I wouldn't care but we are getting certified by a third party authority and it cannot be more than three years for a validity period. So I brought it down to 2 years temporarily. Do you have a link to an official MSFT article that I can provide them? They may have to adjust their criteria for certification.
Thanks!
Chris
I don't think it is officially documented anywhere. For official confirmation you may need to reach Microsoft Support.
10 minutes added mysteriously ¯_(ツ)_/¯
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Chris Krikorian ,
Thank you for posting here.
Based on my knowledge, the validity period of any certificate generated by a Windows CA is the lesser of these three values:
(1)The remaining lifetime of the root CA server
(2)The value specified in the certificate template
(3)The value specified in the CA server registry (default is 2 years)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits
I found the Exchange certificate issued using CAExchange certificate template in Issued Certificates container on CA server is also adding 10 minutes .
Do all the certificates issued by the CA have the same problem?
Best REgards,
Daisy Zhou
Thanks Daisy. Registry setting and template are all correct. Every certificate this CA issues has 10 minutes added.