If you like my howtos (Server 2008R2-Exchange 2010 and Server 2012-Exchange 2013) for an internal certification authority and SAN certificates, may also want to issue certificates with a validity of more than 2 years. A validity of more than 2 years can be specified in the certificate template. However, the certificates are still only valid for 2 years after the application.
The reason for the 2-year validity period is a setting of the CA, where the maximum certificate age is preset to 2 years. The current value can be checked with the following commands:
certutil -getreg ca\ValidityPeriodUnits
certutil -getreg ca\ValidityPeriod
The two commands output the value and unit, in this case 2 years.
In order for certificates with a longer validity period to be issued, the maximum certificate age of the CA must first be adjusted. In this case, the value for ValidityPeriodUnits is increased to 5
certutil -setreg ca\ValidityPeriodUnits „5“
This, together with the unit of ValidityPeriod, results in a maximum age of 5 years.
This change does not apply to certificates that have already been issued.