Skip to content
Docs

Extended Kerberos Certificates

This guide creates a Kerberos authentication certificate with a longer validity period than the default. This is useful when using Mideye Server with ADFS and you want to avoid frequent certificate renewals.

1. Configure Certificate Authority for extended validity

Section titled “1. Configure Certificate Authority for extended validity”

On the Certificate Authority (CA) server, open CMD.exe as Administrator and run:

Terminal window
certutil -setreg ca\ValidityPeriodUnits X
certutil -setreg ca\ValidityPeriod Years

Replace X with the desired number of years. The validity period cannot exceed the CA certificate’s own validity.

Restart the Certificate Authority service:

Terminal window
net stop certsvc
net start certsvc

2. Create a duplicate Kerberos template

Section titled “2. Create a duplicate Kerberos template”
  1. Open the Certificate Authority console.
  2. Right-click Certificate TemplatesManage.
  3. Right-click the Kerberos Authentication template → Duplicate Template.
  4. On the General tab, set a friendly name and change the Validity period to the desired length.

Certificate template General tab showing the validity period setting

3. Configure permissions and issue the template

Section titled “3. Configure permissions and issue the template”
  1. On the Security tab, add the computer account of the Domain Controller → OK.
  2. Close the Certificate Templates Console.
  3. In the Certificate Authority console, right-click Certificate TemplatesNewCertificate Template to Issue.

Certificate Authority console showing New followed by Certificate Template to Issue

  1. Select the template you created → OK.
  2. Restart the Certificate Authority service.

4. Enroll the certificate on the Domain Controller

Section titled “4. Enroll the certificate on the Domain Controller”
  1. On the Domain Controller, open mmc.exe.
  2. FileAdd/Remove Snap-inCertificatesComputer AccountLocal ComputerOK.
  3. Expand CertificatesPersonal → right-click CertificatesAll TasksRequest New Certificate.
  4. Select the certificate template created above → Enroll.

5. Import the certificate into Mideye Server

Section titled “5. Import the certificate into Mideye Server”
  1. Log in to the Mideye Server Admin GUI.
  2. Navigate to ConfigurationLDAP Profiles.
  3. Click Modify on the LDAP server.
  4. Click Fetch Certificate and import the new certificate with the extended validity period.

Mideye Server LDAP profile showing the Fetch Certificate button for importing the new Kerberos certificate

  1. Save the configuration.
Section titled “Related links”