I am wonder what will happen as a certificate template with a 2 years validity period (for example) will issue a certificate when the CA certificate expires in 1 year.
I can think of 2 things that could possible happen, but this is just guessing, thats why I would like to know. I think possibly the following will happen:
Can anyone tell me what will happen?
The issued certificate will get an expiration date of 1 year, not 2.
this is correct answer. ADCS will sign the certificate, however issued certificate's validity will not exceed the CA certificate validity and limited only to 1 year.
To avoid this, you should renew CA certificate in advance. At the best -- X years prior to CA certificate expiration, where X is the longest validity period specified in operational certificate template settings. That is, if the longest validity provided by any operational template is 3 years, you should renew CA certificate 3 years prior to its expiration (and so on).
Another point to consider: always renew CA certificate with *NEW* key pair. This will ensure that any client will build only one certification path during chain building. Otherwise you may run into issues when wrong (expired) chain is selected when better alternatives exist. Do not reuse CA keys.
