When adding a new Skype for Business server to an existing topology, I came across the following error statement whilst trying to request a certificate from the internal certificate authority:
Command execution failed: Error Constructing or Publishing Certificate. The certificate validity period will be shorter than the “template name” certificate template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA Certificate, reducing the template validity period, or increasing the registry validity period.
A screen shot of the error
The problem is down to a configuration issue with the certificate authority used for the request. I decided to perform some due diligence checking against what was currently configured. First checking the certificate template used, I could establish that the validity period of the template was 3 years.
Next, I decided I would double check the root certificate had not expired, as you can see from the screen shot, it is within it’s validity period
Next on the list of advices from the error was to check the registry validity period on the certificate authority server. You can check the values by browsing to the following locations using the registry editor:
The two entries you need to be concerned with are:
- ValidityPeriod – This should be set to Years
- ValidityPeriodUnits – This will be the number of units in the period set by the Validity Period (in my case: 2 Years)
By default, the registry validity period is set to two years.
As we can see, there is a discrepancy in the certificate template specifying a 3 year validity period, whilst the registry on the CA server has set a maximum of 2 years.
Changing the registry validity period to a higher or same value as the template is the recommended resolution to this error. Change the ValidityPeriodUnits value to a higher number e.g. 10
The restart the certificate authority services for the changes to take effect.
If you are not confortable with the registry editor method, you can alternatively use CERTUTIL to achieve this.
Open Command Prompt as an elevated administrator and type:
certutil –getreg CA\ValidityPeriod
certutil –getreg CA\ValidityPeriodUnits
These commands will output the current configured values:
To change the value of the validity period type the following command:
certutil –setreg CA\ValidityPeriodUnits 10
(where 10 is the number of units you want to set)
Again, restart the certificate authority service for these changes to take effect.
Once changed you will be able to request your Skype for Business certificates once more.