Przejdź do głównej zawartości
Pomoc techniczna
Zaloguj się przy użyciu konta Microsoft
Zaloguj się lub utwórz konto.
Witaj,
Wybierz inne konto.
Masz wiele kont
Wybierz konto, za pomocą którego chcesz się zalogować.
angielski
Przepraszamy, ten artykuł nie jest dostępny w Twoim języku.

Problem description

If a certificate that has the subject information access (SIA) extension is installed on a Windows Vista Service Pack 1 (SP1)-based or Windows Server 2008-based computer, applications that involve certificate validation become very slow. For example, you may experience a delay of two to five minutes when you visit a secure Web site or when you verify a file signature.

Cause

This problem is caused by the functionality of retrieving cross-certificates based on information that is present in the SIA extension in a certificate. The functionality makes sure that cross-certificates are available before a path is created to a trusted root certification authority (CA).

SIA is an optional certificate extension, and SIA is present in specific certificates, such as certificates that are cross-certified with a bridge CA. The functionality assumes that servers that are hosting the cross-certificates are always online. However, a slow network or an offline server can cause a long retrieval time. Therefore, you may experience delays during the certificate validation. This problem occurs only when certificates that have a SIA extension are in the intermediate CA certificate store of the computer or in the trusted root CA certificate store of the computer. However, this issue affects every certificate validation on the computer.

Resolution

Update information

The following files are available for download from the Microsoft Download Center:

Update for Windows Server 2008 (KB955805)

DownloadDownload the 955805 package now.

Update for Windows Server 2008 for Itanium-based Systems (KB955805)

DownloadDownload the 955805 package now.

Update for Windows Server 2008 x64 Edition (KB955805)

DownloadDownload the 955805 package now.

Update for Windows Vista (KB955805)

DownloadDownload the 955805 package now.

Update for Windows Vista for x64-based Systems (KB955805)


DownloadDownload the 955805 package now.

Hotfix information

A hotfix is available to resolve this issue. This hotfix disables this automatic cross-certificate retrieval functionality. To re-enable the automatic cross-certificate retrieval functionality after you install this hotfix, you have to change the registry.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.

Prerequisites

To apply this hotfix, the computer must run Windows Vista Service Pack 1 or Windows Server 2008.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other previously released hotfixes.

Registry information

After the installation of this hotfix, to have us re-enable the SIA feature for you, go to the “Fix it for me” section. If you would rather re-enable the SIA feature yourself, go to the “Let me fix it myself” section.

Fix it for me

To re-enable the SIA feature automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.





Note This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

Now go to the "Did this fix the problem?" section.

Let me fix it myself

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in WindowsTo re-enable the SIA feature after the installation of this hotfix, follow these steps.

  1. Click Start, type
    regedit in the Start Search box, and then click OK.

  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\

  3. On the Edit menu, point to New, and then click Key.

  4. Type ChainEngine, and then press ENTER.

  5. On the Edit menu, point to New, and then click Key.

  6. Type Config, and then press ENTER.

  7. On the Edit menu, point to New, and then click DWORD Value.

  8. Type Options, and then press ENTER.

  9. Double-click the Options registry entry, type
    4 in the Value data box, and then click
    OK.

  10. Exit Registry Editor.

Now go to the "Did this fix the problem?" section.

Did this fix the problem?

Check whether the problem is fixed. If the problem is fixed, you are finished with this article. If the problem is not fixed, you can contact support.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista and Windows Server 2008 file information note

The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.

For all supported 32-bit versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Crypt32.dll

6.0.6001.22254

977,920

29-Aug-2008

04:00

x86

For all supported 64-bit versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Crypt32.dll

6.0.6001.22254

1,254,912

29-Aug-2008

05:15

x64

Crypt32.dll

6.0.6001.22254

977,920

29-Aug-2008

04:00

x86

For all supported Itanium-based versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Crypt32.dll

6.0.6001.22254

2,372,608

29-Aug-2008

05:13

IA-64

Crypt32.dll

6.0.6001.22254

977,920

29-Aug-2008

04:00

x86

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

In Windows Server 2008 and in Windows Vista, the Cryptography API 2 (CAPI2) automatically downloads cross-certificates by using URLs in the SIA extension. A chain engine enumerates all roots and certificates in a CA store that chains to trusted roots. It does this to look for the SIA extension (or property). If the SIA is found, CAPI2 tries to download cross certificates. This behavior may cause a long delay when the computer cannot access the URLs in the SIA extension in a short time.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information for Windows Server 2008 and for Windows Vista

Additional files for all supported 32-bit versions of Windows Server 2008 and Windows Vista

File name

Package_1_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,779

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_2_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,946

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_3_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,784

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_4_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,784

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_client_1~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,367

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_client~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,431

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,421

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_sc~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,423

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,425

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_server~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,431

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,422

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,429

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

X86_9fe9aeb43d4290e3c73a349b6d303a97_31bf3856ad364e35_6.0.6001.22254_none_c9b218e2d3efef09.manifest

File version

Not Applicable

File size

699

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

X86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest

File version

Not Applicable

File size

7,228

Date (UTC)

29-Aug-2008

Time (UTC)

04:29

Platform

Not Applicable

Additional files for all supported 64-bit versions of Windows Server 2008 and Windows Vista

File name

Amd64_36fcc3f9500ec0fbf8fbc79841952b27_31bf3856ad364e35_6.0.6001.22254_none_e0d6d65867ae59b8.manifest

File version

Not Applicable

File size

1,046

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Amd64_f94a397aadfcac4418337f502abe8c47_31bf3856ad364e35_6.0.6001.22254_none_f060990261fcbc94.manifest

File version

Not Applicable

File size

703

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_b7e5ed9caf73c612.manifest

File version

Not Applicable

File size

7,258

Date (UTC)

29-Aug-2008

Time (UTC)

06:11

Platform

Not Applicable

File name

Package_1_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,789

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_2_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,175

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_3_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,011

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_4_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,011

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_client_1~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,375

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_client~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,439

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,429

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_sc~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,431

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,433

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_server~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,439

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,430

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_winpesrv~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,437

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

X86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest

File version

Not Applicable

File size

7,228

Date (UTC)

29-Aug-2008

Time (UTC)

04:29

Platform

Not Applicable

Additional files for all supported Itanium-based versions of Windows Server 2008

File name

Ia64_1639e697b03953d38bc40d6bde93b1dc_31bf3856ad364e35_6.0.6001.22254_none_ecd574e39f43d33e.manifest

File version

Not Applicable

File size

701

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Ia64_42ce699f96fabd9e8e92df60e9315940_31bf3856ad364e35_6.0.6001.22254_none_6271b4764d92c3a3.manifest

File version

Not Applicable

File size

1,044

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Ia64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc8f60ef7145dd8.manifest

File version

Not Applicable

File size

7,243

Date (UTC)

29-Aug-2008

Time (UTC)

05:57

Platform

Not Applicable

File name

Package_1_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,784

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_2_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

2,006

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_3_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

2,006

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_sc_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,425

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_sc~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,426

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,429

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_server~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,434

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,426

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

Package_for_kb955805_winpesrv~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,433

Date (UTC)

29-Aug-2008

Time (UTC)

22:28

Platform

Not Applicable

File name

X86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest

File version

Not Applicable

File size

7,228

Date (UTC)

29-Aug-2008

Time (UTC)

04:29

Platform

Not Applicable

Potrzebujesz dalszej pomocy?

Chcesz uzyskać więcej opcji?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Czy te informacje były pomocne?

Co wpłynęło na Twoje wrażenia?
Jeśli naciśniesz pozycję „Wyślij”, Twoja opinia zostanie użyta do ulepszania produktów i usług firmy Microsoft. Twój administrator IT będzie mógł gromadzić te dane. Oświadczenie o ochronie prywatności.

Dziękujemy za opinię!

×