Our Blog
Your questions answered
Your questions answered

Creating Short-Lived X509-Certificates

Sometimes you need to do something that is not possible to achieve using standard administration tools. And then you have no choice but to dive deeper and along the way you might find something that is completely different from what you’ve expected.

If you ever worked with Microsoft Certificate Authority and certificate templates in particular, you may know that the minimal certificate validity time you can set with standard management tools is one hour.

Hmmm, but what if for some reason you need less than that? Well, that's where the adventure begins...

First you need to find where the certificate templates are stored. In the case of Enterprise CA it is the following path in Active Directory configuration partition: CN=Certificate Templates,CN=Public Key Services,CN=Services.

So you open it with your tool of choice, quickly find your template by name; look at the attributes and... WTF? It's binary!

Now it's RTFM time. MSDN says: "The attribute is an 8-byte octet string that initializes the FILETIME structure". That's nothing new, FILETIME is widely used in Active Directory, but usually it's not OCTETSTRING, but LARGEINTEGER and these "FF FF FF" look suspicious, just because the value cannot be too large or negative – that contradicts the semantics of the Period-value.

The thing is: the attribute for some reason actually keeps negative FILETIME value and this fact has to be taken into account when working with such attributes.

The script below will help you to set the necessary value (in minutes) and takes two parameters: the actual name of the certificate template in question (caution: not the display name) and the validity interval in minutes.

param
(
[Parameter(Mandatory=$true, Position = 0)]
[String]
$TemplateName,
[Parameter(Mandatory=$true, Position = 1)]
[Int32]
$Minutes
)
Import-Module ActiveDirectory
$dn = "CN=$TemplateName," +
"CN=Certificate Templates," +
"CN=Public Key Services," +
"CN=Services," +
(Get-ADRootDSE).ConfigurationNamingContext
$value = [TimeSpan]::FromMinutes($Minutes).TotalSeconds * -10000000
$value = [BitConverter]::GetBytes([Int64]$value)
Set-ADObject -Identity $dn -Replace @{pKIExpirationPeriod=$value}
Please note that you need to add at least ten minutes to your desired value as the CA-server will set the certificate validity start to ten minutes back.
Kirill Kovalenko @ 13.11.2013

Other posts

.