In the process of defining the FDCC image, the National Institute of Standards (NIST) included several Federal and DoD Root and Intermediate x509 certificates in the FDCC Vista Trusted Root and Intermediate Certification Authorities stores. Several of these certificates are cross-certified. When the Vista CryptoAPI (CAPI) is called by a process (e.g. Iexplore.exe validating a website’s SSL certificate), the CAPI chaining engine attempts to retrieve any certificate in the store cross-signing certificate. If the system is unable to reach the retrieval URL (stored in the certificate Subject Information Access extension) the CAPI chaining engine will timeout after 15 seconds. This can cause slow performance in applications that call the CAPI.
FDCC cross-certified Intermediate Certification Authorities store certificates
Certificate Name
Serial Number
Betrusted Production SSP CA A1
6114b0a100000000000a
Entrust Managed Services Root CA
39c1bfb400000000001f
Exostar GovID SSP Certificate Authority
4d082a0000000000001d
Entrust FBCA
584516fb00000000000b
ORC ACES Business
14c6e864000000000010
ORC ACES Unaffiliated
14cbc469000000000012
ORC ACES Government
14cbba28000000000011
NASA Operational CA
4ea2de3a000000000016
Social Security Administration Certification Authority
617627bd000000000021
VeriSign Shared Service Provider Intermediate CA
5e2bb7d600000000001a
CertiPath Bridge CA
451dc907
E-Commerce Root CA
42091753
DHS Root CA
42091859
DoD CLASS 3 Root CA
451dc766
DoD Interoperability Root CA 1
451dd435
DoJ Root CA
4209185a
DST ACES CA X6
42091857
GPO PCA
4209185b
CMS CA
420916d7
EntrustCA
4209186c
ORC Government ROOT
42091997
U.S. Department of State Root CA
451dc88e
US Treasury Root CA
4209179a
USPTO_INTR_CA1
42091996
Wells Fargo Certificate Authority 01
451dd4d8
· Connecting to SSL enable websites will take a long time or timeout.
· Applications will be extremely slow and/or throw odd errors.
The VISTA CAPI chaining engine is unable to pull a cross-signing certificate. Each chaining attempt will timeout after 15 seconds. If the computer’s Intermediate Certification Authorities store contains multiple cross-signed certificates the CAPI-calling application will wait until all chaining attempts have succeeded or timed out. This can cause the application to pause for extremely long periods or produce odd errors.
A laptop connecting via a modem using the Cisco VPN client will take ~14 minutes to call the modem dialer or produce the following error:
Secure VPN Connection terminated locally by the Client.
Reason 415: A required component PPPTool.exe is not present among the installed client software.
Connection terminated on: <date> Duration: <value>
Multiple errors are found within the CAPI2 event log. (to enable the CAPI2 eventlog start Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log). The CAPI chaining engine cannot reach the URL because the system is unable to communicate to the Internet. Note that the “ProcessName” is cvpnd.exe which is the Cisco VPN service.
-
System
Provider
[ Name]
Microsoft-Windows-CAPI2
[ Guid]
{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID
24
Channel
Microsoft-Windows-CAPI2/Operational
<information removed>
Security
[ UserID]
S-1-5-18
UserData
CertCrossCertUrlRetrievalWire
SourceCertificate
[ fileRef]
036D9D52108707CFDCE6AD6AB62DDDBCD5E7D67C.cer
[ subjectName]
SyncDeltaTime
P7DT0H0M0S
URL
ldap://fpkia.gsa.gov/cn=EntrustCA,o=National%20Aeronautics%20and%20Space%20Administration,
c=US?cACertificate;binary,crossCertificatePair;binary
[ scheme]
ldap
EventAuxInfo
[ ProcessName]
cvpnd.exe
CorrelationAuxInfo
[ TaskId]
{6CA192A2-1D32-416E-97E8-14A63F6F11D5}
[ SeqNumber]
236
Result
This operation returned because the timeout period expired.
[ value]
5B4
Note: The Cisco VPN client software requires the following certificate in the computer’s Trusted Root Certification Authorities store to establish a chain of trust (not included in the FDCC image, see Additional Information).
Version: 3
Serial Number: 01
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.4 md5RSA
Algorithm Parameters:
05 00
Issuer:
E=premium-server@thawte.com
CN=Thawte Premium Server CA
OU=Certification Services Division
O=Thawte Consulting cc
L=Cape Town
S=Western Cape
C=ZA
NotBefore: 7/31/1996 8:00 PM
NotAfter: 12/31/2020 7:59 PM
Subject:
Microsoft is currently testing a hotfix to provide the ability to disable the cross-signed certificate chaining retrieval process. This hotfix is currently undergoing testing and is not publicly released. Microsoft Customers who have an Enterprise Agreement may obtain the hotfix through their Account Manager or Technical Account Manager (Premier contract holders). Reference number: KB Article Number(s): 955805
Enable the CAPI2 event log (Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log) to determine which certificates the chaining engine cannot retrieve. Remove the certificate from the computer’s Intermediate Certification Authorities store.
FDCC settings disable Windows Updates ability to populate a computer’s Root Certification Authorities stores. FDCC compliant agencies will have to monitor and authorize certificates accordingly.
Policy Path
Policy Setting Name
FDCC Windows Vista
FDCC Windows XP
CCE Reference
Registry Setting
Description
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
Turn off Automatic Root Certificates Update
Enabled
CCE-858
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate
Specifies whether to automatically update root certificates using the Windows Update Web site. Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. If you enable this setting, when you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities. If you disable or do not configure this setting, your computer will contact the Windows Update Web site.
· Certificates needed by Windows platforms: http://support.microsoft.com/kb/293781
· FDCC version 1.0 settings: http://nvd.nist.gov/fdcc/FDCC-Settings-major-version-1.0.xls
· Microsoft Root Certificate Program: http://support.microsoft.com/kb/931125
· Deploying Certificates via Group Policy: http://technet.microsoft.com/en-us/library/cc770315.aspx
· RFC3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile : http://www.ietf.org/rfc/rfc3280.txt