Здравствуйте, bugmaker, Вы писали:

B>как изменить время действия сертификатов выдаваемых ЦС Windows 2000?
B>где находится эта настройка?

спасибо всем, уже нашел

SUMMARY
The lifetime of a certificate issued by a Windows 2000 Certificate Authority (CA) is one year by default. After one year, the certificate expires and is not trusted for use. There may be situations when you need to override the default expiration date for certificates issued by an intermediate or an issuing CA.

The registry validity period affects all certificates that are issued by Standalone and Enterprise CAs. For Enterprise CAs, the default registry setting is two years. For Standalone CAs, the default registry setting is one year. For certificates that are issued by Standalone CAs, the validity period is governed by the registry entry that is discussed below. This value applies to all certificates that are issued by the CA.

For certificates that are issued by Enterprise CAs, the validity period is hard-coded in the template that is used to create the certificate. Windows 2000 does not support modification of these templates. The template validity period is applied to all certificates that are issued by an Enterprise CA. There is no exception for the subordinate CA certificate templates. A certificate that is issued by a CA is valid for the minimum of the following:
The registry validity period that is noted earlier in this article.
The template validity period. This is only for an Enterprise CA.
The expiration date of the CA certificate.
Note The Request Attribute name is made up of value string pairs that accompany the request and that specify the validity period. By default, this is enabled by a registry setting only on a Standalone CA.

To modify the validity period settings for a CA, follow these steps.

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

back to the top
Procedure
Start Registry Editor.
Locate the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAname>
Double-click the ValidityPeriod REG_SZ registry value and change the validity period to one of the following choices: Days, Weeks, Months, or Years.
Double-click the ValidityPeriodUnits REG_DWORD registry value and change the number of days, weeks, months, or years you want (for example, 1, 2, 3, and so on).
Stop and restart Certificate Services.