1. Need to change/extend the subordinate CA certificate validity

2. CA certificate and the template is valid for 5 years but certificates that are issued is showing only 2 years validity.

The validity of a certificate is dependant on below values:
        a. Remaining lifetime of Issuing CA certificate.
        b. Validity as specified in the certificate template.
        c. Registry entries on the CA as described in http://support.microsoft.com/kb/254632/

1. Need to change/extend the subordinate CA certificate validity

   On the Root/Parent CA check the below registry entries.

              HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

              ValidityPeriod

              ValidityPeriodUnits

   ValidityPeriod can have "Days" "Weeks" "Months" "Years" as values

   ValidityPeriodUnits can be an integer as per requirement.

   Restart the certificate services on the Root/Parent CA.

   Renew the Subordinate CA certificate.

2. CA certificate and the template is valid for 5 years but certificates that are issued is showing only 2 years validity. Need to have certificates issued based on template validity.

  Check the registry key on the Issuing CA and update the values as required.

              HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

  ValidityPeriod can have "Days" "Weeks" "Months" "Years" as values. Set it to "Years"

  Set the ValidityPeriodUnits equivalent to the CA certificate validity.

  Restart the certificate services on the Issuing CA.

  Issue/Renew the certificate.

3. Certificates issued by the CA should be valid only for a 3 months irrespective of the template validity or CA certificate validity. 

  On the Issuing CA, open registry.

              HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

  Set the ValidityPeriod to "Months"

  Set the ValidityPeriodUnits to 3.

  Restart the certificate services on the Issuing CA.

  Issue/Renew the certificate.