Article ID: 295070 - View products that this article applies to.
This article was previously published under Q295070
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspxFor more information about IIS 7.0, visit the following Microsoft Web site:
You may notice significant response differences when you browse to a Secure Sockets Layer (SSL) site and use different client or server certificates.
IIS is attempting to contact and download various certificate extensions as part of the SSL negotiation process. This usually involves Certificate Revocation List (CRL) checking, which is disabled by default in IIS 4.0 but enabled by default in IIS 5.0. For information on how to change the default values for CRL checking, search the IIS online product documentation (located at http://<IISComputerName>/iishelp) for the "CertCheckMode" keyword.
First, make sure that the issuing Certificate Authority (CA) root certificate is installed on the client. For more information on how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
297681Next, contact the CA that is responsible for issuing the certificate and have the CA change the certificate extensions to reflect a faster protocol or download location. For a Microsoft Certificate Authority that is running on Microsoft Windows 2000, this is done through a policy module.
(http://support.microsoft.com/kb/297681/ )Error message: This security certificate was issued by a company that you have not chosen to trust
To change the default policy module, follow these steps:
NOTE: You may also have to perform the previous steps on intermediate CAs.
If the CA that issued your certificate cannot change the certificate extensions to reflect a faster protocol or download location (because the certificate was issued by a third party such as Verisign), fix any network or name resolution problems that may be preventing IIS from downloading files (usually .crl or .crt files) from the servers that are listed in the certificate's extensions.
To troubleshoot this, copy the URLs from the certificate's extensions and paste them into the browser on the IIS server, then use the Microsoft Network Monitor or the Wfetch.exe utility to identify any name resolution or network latency issues as the browser attempts to contact and download the extension files.
For more information about the Wfetch.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/284285/ )How to use Wfetch.exe to troubleshoot HTTP connections
View the certificate's certification path and note the extension details for each certificate in the path. The differences in response time are related to these extensions.
For example, view the CRL Distribution Point (CDP) extension details. If IIS is using client certificates, it attempts to locate and download a CRL from each certificate in the path, starting with the first CDP in the list and moving downward.
For example, a CDP that is using an LDAP protocol and pulling the CRL from a LDAP folder may take longer than a CDP that is using an HTTP protocol and pulling the CRL from the local IIS server by using an HTTP GET command.
The following is a sample CDP extension:
NOTE: IIS starts from the first CDP and works downward.
The Authority Information Access (AIA) extension also starts from the first URL and works downward.
The following is a sample AIA extension:
For more information, see the following Knowledge Base article:
(http://support.microsoft.com/kb/289749/ )Certificate Revocation Lists (CRLs) and IIS 5.0 frequently asked questions
Article ID: 295070 - Last Review: July 3, 2008 - Revision: 3.1
Contact us for more help