I recently received this error for a certificate I was requesting through the CA Web Enrollment site.
Microsoft Active Directory Certificate Services
Your certificate request was denied.
Your Request Id is XXX. The disposition message is “Denied by Policy Module The certificate validity period will be shorter than the Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period. “.
Contact your administrator for further information.
The certificate template was set to be valid for 5 years. There are 3 reasons you might get this error
- The CA’s certificate’s remaining validity is less than the requested validity period of the certificate.
For example, if the CA’s certificate expires in 1 year from today, it can only issue certificates that are valid for 1 year or less. In this case, renew the CA’s certificate with a validity period longer the desired validity period of the certificates you specify. In fact, make it long enough that aren’t having to manually renew it too frequently. For example, if you regularly issue certificates that are valid for 2 years, make the CA’s certificate valid for at least 3 years so you can issue certificates for a year without having to renew the CA cert again (if you made it valid for 4 years, you’d be able to issue certificates for 2 year before you need to renew it, etc).
To fix this problem, you need to modify/create the CAPolicy.inf file at %SYSTEMROOT% (i.e. c:\Windows) with the following text:
[Version]
Signature=”$Windows NT$”[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=25
certutil -setreg ca\ValidatePeriod "Years" certutil -setreg ca\ValidityPeriodUnits 5
Thank you for this blog article. It aided me in solving my unique problem.