Skype for Business–Error Constructing or Publishing Certificate

When adding a new Skype for Business server to an existing topology, I came across the following error statement whilst trying to request a certificate from the internal certificate authority:

Command execution failed: Error Constructing or Publishing Certificate. The certificate validity period will be shorter than the “template name” certificate template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA Certificate, reducing the template validity period, or increasing the registry validity period.

A screen shot of the error

image

The problem is down to a configuration issue with the certificate authority used for the request. I decided to perform some due diligence checking against what was currently configured. First checking the certificate template used, I could establish that the validity period of the template was 3 years.

image

Next, I decided I would double check the root certificate had not expired, as you can see from the screen shot, it is within it’s validity period

image

Next on the list of advices from the error was to check the registry validity period on the certificate authority server. You can check the values by browsing to the following locations using the registry editor:

HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\”CA NAME”

The two entries you need to be concerned with are:

  • ValidityPeriod – This should be set to Years
  • ValidityPeriodUnits – This will be the number of units in the period set by the Validity Period (in my case: 2 Years)

By default, the registry validity period is set to two years.

As we can see, there is a discrepancy in the certificate template specifying a 3 year validity period, whilst the registry on the CA server has set a maximum of 2 years.

Changing the registry validity period to a higher or same value as the template is the recommended resolution to this error. Change the ValidityPeriodUnits value to a higher number e.g. 10

The restart the certificate authority services for the changes to take effect.

If you are not confortable with the registry editor method, you can alternatively use CERTUTIL to achieve this.

Open Command Prompt as an elevated administrator and type:

certutil –getreg CA\ValidityPeriod

and

certutil –getreg CA\ValidityPeriodUnits

These commands will output the current configured values:

image

To change the value of the validity period type the following command:

certutil –setreg CA\ValidityPeriodUnits 10

(where 10 is the number of units you want to set)

image

Again, restart the certificate authority service for these changes to take effect.

Once changed you will be able to request your Skype for Business certificates once more.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s