Article ID: 955805 - View products that this article applies to.
Expand all | Collapse all

On This Page

Problem description

If a certificate that has the subject information access (SIA) extension is installed on a Windows Vista Service Pack 1 (SP1)-based or Windows Server 2008-based computer, applications that involve certificate validation become very slow. For example, you may experience a delay of two to five minutes when you visit a secure Web site or when you verify a file signature.

Cause

This problem is caused by the functionality of retrieving cross-certificates based on information that is present in the SIA extension in a certificate. The functionality makes sure that cross-certificates are available before a path is created to a trusted root certification authority (CA).

SIA is an optional certificate extension, and SIA is present in specific certificates, such as certificates that are cross-certified with a bridge CA. The functionality assumes that servers that are hosting the cross-certificates are always online. However, a slow network or an offline server can cause a long retrieval time. Therefore, you may experience delays during the certificate validation. This problem occurs only when certificates that have a SIA extension are in the intermediate CA certificate store of the computer or in the trusted root CA certificate store of the computer. However, this issue affects every certificate validation on the computer.

Resolution

Update information

The following files are available for download from the Microsoft Download Center:

Update for Windows Server 2008 (KB955805)

Collapse this imageExpand this image
Download
Download the 955805 package now.

Update for Windows Server 2008 for Itanium-based Systems (KB955805)

Collapse this imageExpand this image
Download
Download the 955805 package now.

Update for Windows Server 2008 x64 Edition (KB955805)

Collapse this imageExpand this image
Download
Download the 955805 package now.

Update for Windows Vista (KB955805)

Collapse this imageExpand this image
Download
Download the 955805 package now.

Update for Windows Vista for x64-based Systems (KB955805)

Collapse this imageExpand this image
Download
Download the 955805 package now.

Hotfix information

A hotfix is available to resolve this issue. This hotfix disables this automatic cross-certificate retrieval functionality. To re-enable the automatic cross-certificate retrieval functionality after you install this hotfix, you have to change the registry.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.

Prerequisites

To apply this hotfix, the computer must run Windows Vista Service Pack 1 or Windows Server 2008.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other previously released hotfixes.

Registry information

After the installation of this hotfix, to have us re-enable the SIA feature for you, go to the “Fix it for me” section. If you would rather re-enable the SIA feature yourself, go to the “Let me fix it myself” section.
Fix it for me
To re-enable the SIA feature automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.

Fix this problem
Microsoft Fix it 50069


Note This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

Now go to the "Did this fix the problem?" section.
Let me fix it myself
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To re-enable the SIA feature after the installation of this hotfix, follow these steps.
  1. Click Start, type regedit in the Start Search box, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\
  3. On the Edit menu, point to New, and then click Key.
  4. Type ChainEngine, and then press ENTER.
  5. On the Edit menu, point to New, and then click Key.
  6. Type Config, and then press ENTER.
  7. On the Edit menu, point to New, and then click DWORD Value.
  8. Type Options, and then press ENTER.
  9. Double-click the Options registry entry, type 4 in the Value data box, and then click OK.
  10. Exit Registry Editor.
Now go to the "Did this fix the problem?" section.
Did this fix the problem?
Check whether the problem is fixed. If the problem is fixed, you are finished with this article. If the problem is not fixed, you can contact support.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Vista and Windows Server 2008 file information note
The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.
For all supported 32-bit versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Crypt32.dll6.0.6001.22254977,92029-Aug-200804:00x86
For all supported 64-bit versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Crypt32.dll6.0.6001.222541,254,91229-Aug-200805:15x64
Crypt32.dll6.0.6001.22254977,92029-Aug-200804:00x86
For all supported Itanium-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Crypt32.dll6.0.6001.222542,372,60829-Aug-200805:13IA-64
Crypt32.dll6.0.6001.22254977,92029-Aug-200804:00x86

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

In Windows Server 2008 and in Windows Vista, the Cryptography API 2 (CAPI2) automatically downloads cross-certificates by using URLs in the SIA extension. A chain engine enumerates all roots and certificates in a CA store that chains to trusted roots. It does this to look for the SIA extension (or property). If the SIA is found, CAPI2 tries to download cross certificates. This behavior may cause a long delay when the computer cannot access the URLs in the SIA extension in a short time.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information for Windows Server 2008 and for Windows Vista

Additional files for all supported 32-bit versions of Windows Server 2008 and Windows Vista
Collapse this tableExpand this table
File namePackage_1_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,779
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_2_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,946
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_3_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,784
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_4_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,784
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_client_1~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,367
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_client~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,431
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,421
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_sc~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,423
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,425
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_server~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,431
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,422
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,429
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File nameX86_9fe9aeb43d4290e3c73a349b6d303a97_31bf3856ad364e35_6.0.6001.22254_none_c9b218e2d3efef09.manifest
File versionNot Applicable
File size699
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File nameX86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest
File versionNot Applicable
File size7,228
Date (UTC)29-Aug-2008
Time (UTC)04:29
PlatformNot Applicable
Additional files for all supported 64-bit versions of Windows Server 2008 and Windows Vista
Collapse this tableExpand this table
File nameAmd64_36fcc3f9500ec0fbf8fbc79841952b27_31bf3856ad364e35_6.0.6001.22254_none_e0d6d65867ae59b8.manifest
File versionNot Applicable
File size1,046
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File nameAmd64_f94a397aadfcac4418337f502abe8c47_31bf3856ad364e35_6.0.6001.22254_none_f060990261fcbc94.manifest
File versionNot Applicable
File size703
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File nameAmd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_b7e5ed9caf73c612.manifest
File versionNot Applicable
File size7,258
Date (UTC)29-Aug-2008
Time (UTC)06:11
PlatformNot Applicable
File namePackage_1_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,789
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_2_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size2,175
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_3_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size2,011
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_4_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size2,011
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_client_1~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,375
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_client~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,439
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,429
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_sc~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,431
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,433
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_server~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,439
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,430
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_winpesrv~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,437
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File nameX86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest
File versionNot Applicable
File size7,228
Date (UTC)29-Aug-2008
Time (UTC)04:29
PlatformNot Applicable
Additional files for all supported Itanium-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameIa64_1639e697b03953d38bc40d6bde93b1dc_31bf3856ad364e35_6.0.6001.22254_none_ecd574e39f43d33e.manifest
File versionNot Applicable
File size701
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File nameIa64_42ce699f96fabd9e8e92df60e9315940_31bf3856ad364e35_6.0.6001.22254_none_6271b4764d92c3a3.manifest
File versionNot Applicable
File size1,044
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File nameIa64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc8f60ef7145dd8.manifest
File versionNot Applicable
File size7,243
Date (UTC)29-Aug-2008
Time (UTC)05:57
PlatformNot Applicable
File namePackage_1_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size1,784
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_2_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size2,006
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_3_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size2,006
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_sc_0~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size1,425
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_sc~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size1,426
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size1,429
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_server~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size1,434
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size1,426
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File namePackage_for_kb955805_winpesrv~31bf3856ad364e35~ia64~~6.0.1.0.mum
File versionNot Applicable
File size1,433
Date (UTC)29-Aug-2008
Time (UTC)22:28
PlatformNot Applicable
File nameX86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest
File versionNot Applicable
File size7,228
Date (UTC)29-Aug-2008
Time (UTC)04:29
PlatformNot Applicable

Properties

Article ID: 955805 - Last Review: October 8, 2011 - Revision: 5.0
APPLIES TO
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
Keywords: 
kbmsifixme kbfixme kbautohotfix kbexpertiseadvanced kbfix kbqfe KB955805

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com