Certain applications become very slow on a Windows Server 2008-based or Windows Vista SP1-based computer when a certificate with the SIA extension is installed

If a certificate that has the subject information access (SIA) extension is installed on a Windows Vista Service Pack 1 (SP1)-based or Windows Server 2008-based computer, applications that involve certificate validation become very slow. For example, you may experience a delay of two to five minutes when you visit a secure Web site or when you verify a file signature.

This problem is caused by the functionality of retrieving cross-certificates based on information that is present in the SIA extension in a certificate. The functionality makes sure that cross-certificates are available before a path is created to a trusted root certification authority (CA).

SIA is an optional certificate extension, and SIA is present in specific certificates, such as certificates that are cross-certified with a bridge CA. The functionality assumes that servers that are hosting the cross-certificates are always online. However, a slow network or an offline server can cause a long retrieval time. Therefore, you may experience delays during the certificate validation. This problem occurs only when certificates that have a SIA extension are in the intermediate CA certificate store of the computer or in the trusted root CA certificate store of the computer. However, this issue affects every certificate validation on the computer.

Update information

The following files are available for download from the Microsoft Download Center:

Update for Windows Server 2008 (KB955805)

Download the 955805 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=4689EC96-8B63-4961-ABAF-651FBF7DF194)

Update for Windows Server 2008 for Itanium-based Systems (KB955805)

Download the 955805 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=4124630C-E041-4725-9A6E-0B4A6C292DDE)

Update for Windows Server 2008 x64 Edition (KB955805)

Download the 955805 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=A24EFAC2-F301-4EA9-907F-FE1E366DBABE)

Update for Windows Vista (KB955805)

Download the 955805 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=365AA4E8-C8CF-485F-A81C-2E361F271A9B)

Update for Windows Vista for x64-based Systems (KB955805)

Download the 955805 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=585FFADC-4FC3-4FE1-9DC0-CC10218B15A3)

Hotfix information

A hotfix is available to resolve this issue. This hotfix disables this automatic cross-certificate retrieval functionality. To re-enable the automatic cross-certificate retrieval functionality after you install this hotfix, you have to change the registry.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.

Prerequisites

To apply this hotfix, the computer must run Windows Vista Service Pack 1 or Windows Server 2008.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other previously released hotfixes.

Registry information

After the installation of this hotfix, to have us re-enable the SIA feature for you, go to the “Fix it for me” section. If you would rather re-enable the SIA feature yourself, go to the “Let me fix it myself” section.

Fix it for me

To re-enable the SIA feature automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.



Note This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

Now go to the "Did this fix the problem?" section.

Let me fix it myself

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: To re-enable the SIA feature after the installation of this hotfix, follow these steps.

1. Click Start, type regedit in the Start Search box, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\
3. On the Edit menu, point to New, and then click Key.
4. Type ChainEngine, and then press ENTER.
5. On the Edit menu, point to New, and then click Key.
6. Type Config, and then press ENTER.
7. On the Edit menu, point to New, and then click DWORD Value.
8. Type Options, and then press ENTER.
9. Double-click the Options registry entry, type 4 in the Value data box, and then click OK.
10. Exit Registry Editor.

Now go to the "Did this fix the problem?" section.

Did this fix the problem?

Check whether the problem is fixed. If the problem is fixed, you are finished with this article. If the problem is not fixed, you can contact support (http://support.microsoft.com/contactus) .

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista and Windows Server 2008 file information note

The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.

For all supported 32-bit versions of Windows Server 2008

For all supported 64-bit versions of Windows Server 2008

For all supported Itanium-based versions of Windows Server 2008

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

In Windows Server 2008 and in Windows Vista, the Cryptography API 2 (CAPI2) automatically downloads cross-certificates by using URLs in the SIA extension. A chain engine enumerates all roots and certificates in a CA store that chains to trusted roots. It does this to look for the SIA extension (or property). If the SIA is found, CAPI2 tries to download cross certificates. This behavior may cause a long delay when the computer cannot access the URLs in the SIA extension in a short time.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Additional file information for Windows Server 2008 and for Windows Vista

Additional files for all supported 32-bit versions of Windows Server 2008 and Windows Vista

Additional files for all supported 64-bit versions of Windows Server 2008 and Windows Vista

Additional files for all supported Itanium-based versions of Windows Server 2008