Health Certificate Validity Period Is Not Enforced
Updated: March 29, 2012
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
This problem typically occurs when you are using an enterprise Network Access Protection (NAP) certification authority (CA) to issue health certificates for the NAP with Internet Protocol security (IPsec) enforcement method. To allow Health Registration Authority (HRA) to configure the health certificate validity period to something different from the value provided in the certificate template, you must perform the following procedure.
The validity period of NAP health certificates that are issued from an enterprise NAP CA might be longer than the validity period configured in the CA properties of the HRA snap-in.
To allow HRA to set the health certificate validity period, use the Certutil.exe command-line tool to configure the EDITF_ATTRIBUTEENDDATE attribute.
If NAP client computers receive health certificates with long validity periods, new network health requirements might not be enforced until the client computer is restarted.
You can repair this problem by configuring registry settings on an enterprise CA with the Certutil.exe command-line tool that is installed as part of Active Directory® Certificate Services (AD CS).
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
Click Start, right-click Command Prompt, and then click Run as administrator.
In the command window, type Certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE, and then press ENTER.
In the command window, type net stop certsvc && net start certsvc, and then press ENTER.
Verify that AD CS stops and starts successfully.