如何檢是目前 CA 視為獨立CA 還是企業 CA?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Your CA name}\CAType
CAType = 0 (This means it is installed as Enterprise Root CA)
CAType = 1 (This means it is installed as Enterprise Subordinate CA)
CAType = 3 (This means it is installed as Stand Alone CA)
CAType = 4 (This means it is installed as Stand Alone Subordinate CA)
GOAL:
=====
To increase the Validity Period of the Enterprise Root CA.
RESOLUTION:
===========
1.CA server 本身的 生命期限
How to renew the CA certificate:
Go to the Certificate Authority and highlight the server name.
Right click and go to All Tasks. At the bottom is the option to renew CA certificate. 
This will ask you to stop the Certificate Services. Select yes. 
It brings up a dialog box with the option to generate a new public and private key. Select yes. 
It will now start the Certificate Services and your CA certificate will be renewed.
Go to start, run and type in mmc.
Go to the conosole and highlight Add/Remove Snap-in.
Click on the add button. Then choose the Certificates snap-in. 
Add the snap-in for the Computer Account, hit the next button and select for the local computer and hit finish.
You should now have the console open for the certificates for the local computer.
Expand out the personal certificates.
Highlight the certificates on the left side and in the right pane it will show the certificates issued for the local CA.
You should now highlight the certificate with the expiration of 15 years. (2024)
Double click on it to bring up the current certificate with the new expiration date.
Now you should be able to extend the length of time for a client certificate. 
2.capolicy.inf 檔的日期比對
Create a new text file in notepad. Type it exactly like it is below.
However, you can change the validity period to whatever the number of years you want. You are going to save the file as capolicy.inf under the %windir% directory.
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
Save it as a Capolicy.inf under the %windir% directory.
Then go back and renew your Stand Alone Certificate Authority.
Now you should be able to issue client certificates for the length of time in years that you want.
3.client端所持憑證的到期日
HOW TO:更改Windows 2000 憑證授權所發行的認證到期日期 (windows 2003適用)
http://support.microsoft.com/default.aspx?scid=kb;zh-tw;254632
Sample為
=======
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSrv\Configuration\<CAname>
如果我目前拿到的CA KEY 開始日為2000年1月
那我想在2010年才讓它到期,我可以這樣改
ValidityPeriod REG 打 year
ValidityPeriodUnits 打 10 
