Problem description
If a certificate that has the subject information access (SIA) extension is installed on a Windows Vista Service Pack 1 (SP1)-based or Windows Server 2008-based computer, applications that involve certificate validation become very slow. For example, you may experience a delay of two to five minutes when you visit a secure Web site or when you verify a file signature.
Cause
This problem is caused by the functionality of retrieving cross-certificates based on information that is present in the SIA extension in a certificate. The functionality makes sure that cross-certificates are available before a path is created to a trusted root certification authority (CA).
SIA is an optional certificate extension, and SIA is present in specific certificates, such as certificates that are cross-certified with a bridge CA. The functionality assumes that servers that are hosting the cross-certificates are always online. However, a slow network or an offline server can cause a long retrieval time. Therefore, you may experience delays during the certificate validation. This problem occurs only when certificates that have a SIA extension are in the intermediate CA certificate store of the computer or in the trusted root CA certificate store of the computer. However, this issue affects every certificate validation on the computer.
Resolution
Update information
The following files are available for download from the Microsoft Download Center:
Update for Windows Server 2008 (KB955805)
Download the 955805 package now.
Update for Windows Server 2008 for Itanium-based Systems (KB955805)Download the 955805 package now.
Update for Windows Server 2008 x64 Edition (KB955805)Download the 955805 package now.
Update for Windows Vista (KB955805)Download the 955805 package now.
Update for Windows Vista for x64-based Systems (KB955805)Download the 955805 package now.
Hotfix information
A hotfix is available to resolve this issue. This hotfix disables this automatic cross-certificate retrieval functionality. To re-enable the automatic cross-certificate retrieval functionality after you install this hotfix, you have to change the registry.
Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.
Prerequisites
To apply this hotfix, the computer must run Windows Vista Service Pack 1 or Windows Server 2008.
Restart requirement
You may have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other previously released hotfixes.
Registry information
After the installation of this hotfix, to have us re-enable the SIA feature for you, go to the “Fix it for me” section. If you would rather re-enable the SIA feature yourself, go to the “Let me fix it myself” section.
Fix it for me
To re-enable the SIA feature automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.
Note This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.
Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.
Now go to the "Did this fix the problem?" section.
Let me fix it myself
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in WindowsTo re-enable the SIA feature after the installation of this hotfix, follow these steps.
-
Click Start, type
regedit in the Start Search box, and then click OK. -
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\
-
On the Edit menu, point to New, and then click Key.
-
Type ChainEngine, and then press ENTER.
-
On the Edit menu, point to New, and then click Key.
-
Type Config, and then press ENTER.
-
On the Edit menu, point to New, and then click DWORD Value.
-
Type Options, and then press ENTER.
-
Double-click the Options registry entry, type
4 in the Value data box, and then click
OK. -
Exit Registry Editor.
Now go to the "Did this fix the problem?" section.
Did this fix the problem?
Check whether the problem is fixed. If the problem is fixed, you are finished with this article. If the problem is not fixed, you can contact support.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Vista and Windows Server 2008 file information note
The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.
For all supported 32-bit versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Crypt32.dll |
6.0.6001.22254 |
977,920 |
29-Aug-2008 |
04:00 |
x86 |
For all supported 64-bit versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Crypt32.dll |
6.0.6001.22254 |
1,254,912 |
29-Aug-2008 |
05:15 |
x64 |
|
Crypt32.dll |
6.0.6001.22254 |
977,920 |
29-Aug-2008 |
04:00 |
x86 |
For all supported Itanium-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Crypt32.dll |
6.0.6001.22254 |
2,372,608 |
29-Aug-2008 |
05:13 |
IA-64 |
|
Crypt32.dll |
6.0.6001.22254 |
977,920 |
29-Aug-2008 |
04:00 |
x86 |
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More information
In Windows Server 2008 and in Windows Vista, the Cryptography API 2 (CAPI2) automatically downloads cross-certificates by using URLs in the SIA extension. A chain engine enumerates all roots and certificates in a CA store that chains to trusted roots. It does this to look for the SIA extension (or property). If the SIA is found, CAPI2 tries to download cross certificates. This behavior may cause a long delay when the computer cannot access the URLs in the SIA extension in a short time.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Additional file information for Windows Server 2008 and for Windows Vista
Additional files for all supported 32-bit versions of Windows Server 2008 and Windows Vista
|
File name |
Package_1_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,779 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_2_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,946 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_3_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,784 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_4_for_kb955805~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,784 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_client_1~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,367 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_client~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,431 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,421 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_sc~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,423 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,425 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_server~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,431 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,422 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,429 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
X86_9fe9aeb43d4290e3c73a349b6d303a97_31bf3856ad364e35_6.0.6001.22254_none_c9b218e2d3efef09.manifest |
|
File version |
Not Applicable |
|
File size |
699 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
X86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest |
|
File version |
Not Applicable |
|
File size |
7,228 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
04:29 |
|
Platform |
Not Applicable |
Additional files for all supported 64-bit versions of Windows Server 2008 and Windows Vista
|
File name |
Amd64_36fcc3f9500ec0fbf8fbc79841952b27_31bf3856ad364e35_6.0.6001.22254_none_e0d6d65867ae59b8.manifest |
|
File version |
Not Applicable |
|
File size |
1,046 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Amd64_f94a397aadfcac4418337f502abe8c47_31bf3856ad364e35_6.0.6001.22254_none_f060990261fcbc94.manifest |
|
File version |
Not Applicable |
|
File size |
703 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_b7e5ed9caf73c612.manifest |
|
File version |
Not Applicable |
|
File size |
7,258 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
06:11 |
|
Platform |
Not Applicable |
|
File name |
Package_1_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,789 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_2_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
2,175 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_3_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
2,011 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_4_for_kb955805~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
2,011 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_client_1~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,375 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_client~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,439 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,429 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_sc~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,431 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,433 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_server~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,439 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,430 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_winpesrv~31bf3856ad364e35~amd64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,437 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
X86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest |
|
File version |
Not Applicable |
|
File size |
7,228 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
04:29 |
|
Platform |
Not Applicable |
Additional files for all supported Itanium-based versions of Windows Server 2008
|
File name |
Ia64_1639e697b03953d38bc40d6bde93b1dc_31bf3856ad364e35_6.0.6001.22254_none_ecd574e39f43d33e.manifest |
|
File version |
Not Applicable |
|
File size |
701 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Ia64_42ce699f96fabd9e8e92df60e9315940_31bf3856ad364e35_6.0.6001.22254_none_6271b4764d92c3a3.manifest |
|
File version |
Not Applicable |
|
File size |
1,044 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Ia64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc8f60ef7145dd8.manifest |
|
File version |
Not Applicable |
|
File size |
7,243 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
05:57 |
|
Platform |
Not Applicable |
|
File name |
Package_1_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,784 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_2_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
2,006 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_3_for_kb955805~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
2,006 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_sc_0~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,425 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_sc~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,426 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,429 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_server~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,434 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,426 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
Package_for_kb955805_winpesrv~31bf3856ad364e35~ia64~~6.0.1.0.mum |
|
File version |
Not Applicable |
|
File size |
1,433 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
22:28 |
|
Platform |
Not Applicable |
|
File name |
X86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.22254_none_5bc75218f71654dc.manifest |
|
File version |
Not Applicable |
|
File size |
7,228 |
|
Date (UTC) |
29-Aug-2008 |
|
Time (UTC) |
04:29 |
|
Platform |
Not Applicable |
