Application / Certificate Performance Issues with Vista and FDCC


Summary

In the process of defining the FDCC image, the National Institute of Standards (NIST) included several Federal and DoD Root and Intermediate x509 certificates in the FDCC Vista Trusted Root and Intermediate Certification Authorities stores. Several of these certificates are cross-certified. When the Vista CryptoAPI (CAPI) is called by a process (e.g. Iexplore.exe validating a website’s SSL certificate), the CAPI chaining engine attempts to retrieve any certificate in the store cross-signing certificate. If the system is unable to reach the retrieval URL (stored in the certificate Subject Information Access extension) the CAPI chaining engine will timeout after 15 seconds. This can cause slow performance in applications that call the CAPI.

FDCC cross-certified Intermediate Certification Authorities store certificates

Certificate Name   

Serial Number

Betrusted Production SSP CA A1

6114b0a100000000000a

Entrust Managed Services Root CA

39c1bfb400000000001f

Exostar GovID SSP Certificate Authority

4d082a0000000000001d

Entrust FBCA

584516fb00000000000b

ORC ACES Business

14c6e864000000000010

ORC ACES Unaffiliated

14cbc469000000000012

ORC ACES Government

14cbba28000000000011

NASA Operational CA

4ea2de3a000000000016

Social Security Administration Certification Authority

617627bd000000000021

VeriSign Shared Service Provider Intermediate CA

5e2bb7d600000000001a

CertiPath Bridge CA

451dc907

E-Commerce Root CA

42091753

DHS Root CA

42091859

DoD CLASS 3 Root CA

451dc766

DoD Interoperability Root CA 1

451dd435

DoJ Root CA

4209185a

DST ACES CA X6

42091857

GPO PCA

4209185b

CMS CA

420916d7

EntrustCA

4209186c

ORC Government ROOT

42091997

U.S. Department of State Root CA

451dc88e

US Treasury Root CA

4209179a


Comments (0)