Below is the issue faced by one my client last week that they are not able to provide the certificates with more than 5 years validity even though certificate template is issued with 5 Years.
Above Template shows that certificate Validity period 5 Years but when it is issues the certificate provides the certificate validity only for 3 years.
When we run the Certutil command
certutil -getreg ca\validityperiodunits
There is a problem. it is allowed only for three years in the registry level. Hence run the below commands to set it to 5 years.s Before running the commands ensure backup has been sucessfully taken both CA and Registry.
certutil-setreg ca\ValidityPeriodUnits 5
Restart the CA services by running below commands
net stop certsvc
net start certsvc
Now you will see the certificates are getting issued with 5 Years without any issues.