In the process of defining the FDCC image, the National Institute of Standards (NIST) included several Federal and DoD Root and Intermediate x509 certificates in the FDCC Vista Trusted Root and Intermediate Certification Authorities stores. Several of these certificates are cross-certified. When the Vista CryptoAPI (CAPI) is called by a process (e.g. Iexplore.exe validating a website’s SSL certificate), the CAPI chaining engine attempts to retrieve any certificate in the store cross-signing certificate. If the system is unable to reach the retrieval URL (stored in the certificate Subject Information Access extension) the CAPI chaining engine will timeout after 15 seconds. This can cause slow performance in applications that call the CAPI.
FDCC cross-certified Intermediate Certification Authorities store certificates
Betrusted Production SSP CA A1
Entrust Managed Services Root CA
Exostar GovID SSP Certificate Authority
ORC ACES Business
ORC ACES Unaffiliated
ORC ACES Government
NASA Operational CA
Social Security Administration Certification Authority
VeriSign Shared Service Provider Intermediate CA
CertiPath Bridge CA
E-Commerce Root CA
DHS Root CA
DoD CLASS 3 Root CA
DoD Interoperability Root CA 1
DoJ Root CA
DST ACES CA X6
ORC Government ROOT
U.S. Department of State Root CA
US Treasury Root CA
Wells Fargo Certificate Authority 01
· Connecting to SSL enable websites will take a long time or timeout.
· Applications will be extremely slow and/or throw odd errors.
The VISTA CAPI chaining engine is unable to pull a cross-signing certificate. Each chaining attempt will timeout after 15 seconds. If the computer’s Intermediate Certification Authorities store contains multiple cross-signed certificates the CAPI-calling application will wait until all chaining attempts have succeeded or timed out. This can cause the application to pause for extremely long periods or produce odd errors.
A laptop connecting via a modem using the Cisco VPN client will take ~14 minutes to call the modem dialer or produce the following error:
Secure VPN Connection terminated locally by the Client.
Reason 415: A required component PPPTool.exe is not present among the installed client software.
Connection terminated on: <date> Duration: <value>
Multiple errors are found within the CAPI2 event log. (to enable the CAPI2 eventlog start Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log). The CAPI chaining engine cannot reach the URL because the system is unable to communicate to the Internet. Note that the “ProcessName” is cvpnd.exe which is the Cisco VPN service.
This operation returned because the timeout period expired.
Note: The Cisco VPN client software requires the following certificate in the computer’s Trusted Root Certification Authorities store to establish a chain of trust (not included in the FDCC image, see Additional Information).
Serial Number: 01
Algorithm ObjectId: 1.2.840.1135220.127.116.11 md5RSA
CN=Thawte Premium Server CA
OU=Certification Services Division
O=Thawte Consulting cc
NotBefore: 7/31/1996 8:00 PM
NotAfter: 12/31/2020 7:59 PM
Microsoft is currently testing a hotfix to provide the ability to disable the cross-signed certificate chaining retrieval process. This hotfix is currently undergoing testing and is not publicly released. Microsoft Customers who have an Enterprise Agreement may obtain the hotfix through their Account Manager or Technical Account Manager (Premier contract holders). Reference number: KB Article Number(s): 955805
Enable the CAPI2 event log (Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log) to determine which certificates the chaining engine cannot retrieve. Remove the certificate from the computer’s Intermediate Certification Authorities store.
FDCC settings disable Windows Updates ability to populate a computer’s Root Certification Authorities stores. FDCC compliant agencies will have to monitor and authorize certificates accordingly.
Policy Setting Name
FDCC Windows Vista
FDCC Windows XP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
Turn off Automatic Root Certificates Update
Specifies whether to automatically update root certificates using the Windows Update Web site. Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. If you enable this setting, when you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities. If you disable or do not configure this setting, your computer will contact the Windows Update Web site.
· Certificates needed by Windows platforms: http://support.microsoft.com/kb/293781
· FDCC version 1.0 settings: http://nvd.nist.gov/fdcc/FDCC-Settings-major-version-1.0.xls
· Microsoft Root Certificate Program: http://support.microsoft.com/kb/931125
· Deploying Certificates via Group Policy: http://technet.microsoft.com/en-us/library/cc770315.aspx
· RFC3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile : http://www.ietf.org/rfc/rfc3280.txt