Application / Certificate Performance Issues with Vista and FDCC

Summary

In the process of defining the FDCC image, the National Institute of Standards (NIST) included several Federal and DoD Root and Intermediate x509 certificates in the FDCC Vista Trusted Root and Intermediate Certification Authorities stores. Several of these certificates are cross-certified. When the Vista CryptoAPI (CAPI) is called by a process (e.g. Iexplore.exe validating a website’s SSL certificate), the CAPI chaining engine attempts to retrieve any certificate in the store cross-signing certificate. If the system is unable to reach the retrieval URL (stored in the certificate Subject Information Access extension) the CAPI chaining engine will timeout after 15 seconds. This can cause slow performance in applications that call the CAPI.

FDCC cross-certified Intermediate Certification Authorities store certificates