Summary

In the process of defining the FDCC image, the National Institute of Standards (NIST) included several Federal and DoD Root and Intermediate x509 certificates in the FDCC Vista Trusted Root and Intermediate Certification Authorities stores. Several of these certificates are cross-certified. When the Vista CryptoAPI (CAPI) is called by a process (e.g. Iexplore.exe validating a website’s SSL certificate), the CAPI chaining engine attempts to retrieve any certificate in the store cross-signing certificate. If the system is unable to reach the retrieval URL (stored in the certificate Subject Information Access extension) the CAPI chaining engine will timeout after 15 seconds. This can cause slow performance in applications that call the CAPI.

FDCC cross-certified Intermediate Certification Authorities store certificates

Certificate Name   

Serial Number

Betrusted Production SSP CA A1

6114b0a100000000000a

Entrust Managed Services Root CA

39c1bfb400000000001f

Exostar GovID SSP Certificate Authority

4d082a0000000000001d

Entrust FBCA

584516fb00000000000b

ORC ACES Business

14c6e864000000000010

ORC ACES Unaffiliated

14cbc469000000000012

ORC ACES Government

14cbba28000000000011

NASA Operational CA

4ea2de3a000000000016

Social Security Administration Certification Authority

617627bd000000000021

VeriSign Shared Service Provider Intermediate CA

5e2bb7d600000000001a

CertiPath Bridge CA

451dc907

E-Commerce Root CA

42091753

DHS Root CA

42091859

DoD CLASS 3 Root CA

451dc766

DoD Interoperability Root CA 1

451dd435

DoJ Root CA

4209185a

DST ACES CA X6

42091857

GPO PCA

4209185b

CMS CA

420916d7

EntrustCA

4209186c

ORC Government ROOT

42091997

U.S. Department of State Root CA

451dc88e

US Treasury Root CA

4209179a

USPTO_INTR_CA1

42091996

Wells Fargo Certificate Authority 01

451dd4d8

 

Symptoms

·         Connecting to SSL enable websites will take a long time or timeout.

·         Applications will be extremely slow and/or throw odd errors.

Cause

The VISTA CAPI chaining engine is unable to pull a cross-signing certificate. Each chaining attempt will timeout after 15 seconds. If the computer’s Intermediate Certification Authorities store contains multiple cross-signed certificates the CAPI-calling application will wait until all chaining attempts have succeeded or timed out. This can cause the application to pause for extremely long periods or produce odd errors.

Example

A laptop connecting via a modem using the Cisco VPN client will take ~14 minutes to call the modem dialer or produce the following error:

Secure VPN Connection terminated locally by the Client.

Reason 415: A required component PPPTool.exe is not present among the installed client software.

Connection terminated on: <date> Duration: <value>

 

Multiple errors are found within the CAPI2 event log. (to enable the CAPI2 eventlog start Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log). The CAPI chaining engine cannot reach the URL because the system is unable to communicate to the Internet. Note that the “ProcessName” is cvpnd.exe which is the Cisco VPN service.

 

-

System

 

 

-

Provider

 

 

[ Name]

Microsoft-Windows-CAPI2

 

 

[ Guid]

{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}

 

 

EventID

24

 

Channel

Microsoft-Windows-CAPI2/Operational

 

<information removed>

 

-

Security

 

[ UserID]

S-1-5-18

 

-

UserData

 

-

CertCrossCertUrlRetrievalWire

 

-

SourceCertificate

 

[ fileRef]

036D9D52108707CFDCE6AD6AB62DDDBCD5E7D67C.cer

 

[ subjectName]

EntrustCA

 

SyncDeltaTime

P7DT0H0M0S

 

-

URL

ldap://fpkia.gsa.gov/cn=EntrustCA,o=National%20Aeronautics%20and%20Space%20Administration,

c=US?cACertificate;binary,crossCertificatePair;binary

[ scheme]

ldap

 

-

EventAuxInfo

 

[ ProcessName]

cvpnd.exe

 

-

CorrelationAuxInfo

 

[ TaskId]

{6CA192A2-1D32-416E-97E8-14A63F6F11D5}

 

[ SeqNumber]

236

 

-

Result

This operation returned because the timeout period expired.

 

[ value]

5B4

 

 

Note: The Cisco VPN client software requires the following certificate in the computer’s Trusted Root Certification Authorities store to establish a chain of trust (not included in the FDCC image, see Additional Information).

Version: 3

Serial Number: 01

Signature Algorithm:

    Algorithm ObjectId: 1.2.840.113549.1.1.4 md5RSA

    Algorithm Parameters:

    05 00

Issuer:

    E=premium-server@thawte.com

    CN=Thawte Premium Server CA

    OU=Certification Services Division

    O=Thawte Consulting cc

    L=Cape Town

    S=Western Cape

    C=ZA

 

NotBefore: 7/31/1996 8:00 PM

NotAfter: 12/31/2020 7:59 PM

 

Subject:

    E=premium-server@thawte.com

    CN=Thawte Premium Server CA

    OU=Certification Services Division

    O=Thawte Consulting cc

    L=Cape Town

    S=Western Cape

    C=ZA

Solutions

Method 1:

Microsoft is currently testing a hotfix to provide the ability to disable the cross-signed certificate chaining retrieval process. This hotfix is currently undergoing testing and is not publicly released. Microsoft Customers who have an Enterprise Agreement may obtain the hotfix through their Account Manager or Technical Account Manager (Premier contract holders). Reference number: KB Article Number(s): 955805

Method 2:

Enable the CAPI2 event log (Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log) to determine which certificates the chaining engine cannot retrieve. Remove the certificate from the computer’s Intermediate Certification Authorities store.

Additional Information

FDCC settings disable Windows Updates ability to populate a computer’s Root Certification Authorities stores. FDCC compliant agencies will have to monitor and authorize certificates accordingly.

Policy Path

Policy Setting Name

FDCC Windows Vista

FDCC Windows XP

CCE Reference

Registry Setting

Description

Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings

Turn off Automatic Root Certificates Update

 

Enabled

 

Enabled

 

CCE-858

 

HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate

Specifies whether to automatically update root certificates using the Windows Update Web site.  Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.  If you enable this setting, when you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities.  If you disable or do not configure this setting, your computer will contact the Windows Update Web site.

 

 

References

·         Certificates needed by Windows platforms:  http://support.microsoft.com/kb/293781

·         FDCC version 1.0 settings: http://nvd.nist.gov/fdcc/FDCC-Settings-major-version-1.0.xls

·         Microsoft Root Certificate Program: http://support.microsoft.com/kb/931125

·         Deploying Certificates via Group Policy: http://technet.microsoft.com/en-us/library/cc770315.aspx

·         RFC3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile : http://www.ietf.org/rfc/rfc3280.txt