Summary
In the process of defining the FDCC image, the National Institute of Standards (NIST) included several Federal and DoD Root and Intermediate x509 certificates in the FDCC Vista Trusted Root and Intermediate Certification Authorities stores. Several of these certificates are cross-certified. When the Vista CryptoAPI (CAPI) is called by a process (e.g. Iexplore.exe validating a website’s SSL certificate), the CAPI chaining engine attempts to retrieve any certificate in the store cross-signing certificate. If the system is unable to reach the retrieval URL (stored in the certificate Subject Information Access extension) the CAPI chaining engine will timeout after 15 seconds. This can cause slow performance in applications that call the CAPI.
FDCC cross-certified Intermediate Certification Authorities store certificates
|
Certificate Name |
Serial Number |
|
Betrusted Production SSP CA A1 |
6114b0a100000000000a |
|
Entrust Managed Services Root CA |
39c1bfb400000000001f |
|
Exostar GovID SSP Certificate Authority |
4d082a0000000000001d |
|
Entrust FBCA |
584516fb00000000000b |
|
ORC ACES Business |
14c6e864000000000010 |
|
ORC ACES Unaffiliated |
14cbc469000000000012 |
|
ORC ACES Government |
14cbba28000000000011 |
|
NASA Operational CA |
4ea2de3a000000000016 |
|
Social Security Administration Certification Authority |
617627bd000000000021 |
|
VeriSign Shared Service Provider Intermediate CA |
5e2bb7d600000000001a |
|
CertiPath Bridge CA |
451dc907 |
|
E-Commerce Root CA |
42091753 |
|
DHS Root CA |
42091859 |
|
DoD CLASS 3 Root CA |
451dc766 |
|
DoD Interoperability Root CA 1 |
451dd435 |
|
DoJ Root CA |
4209185a |
|
DST ACES CA X6 |
42091857 |
|
GPO PCA |
4209185b |
|
CMS CA |
420916d7 |
|
EntrustCA |
4209186c |
|
ORC Government ROOT |
42091997 |
|
U.S. Department of State Root CA |
451dc88e |
|
US Treasury Root CA |
4209179a |
|
USPTO_INTR_CA1 |
42091996 |
|
Wells Fargo Certificate Authority 01 |
451dd4d8 |
Symptoms
· Connecting to SSL enable websites will take a long time or timeout.
· Applications will be extremely slow and/or throw odd errors.
Cause
The VISTA CAPI chaining engine is unable to pull a cross-signing certificate. Each chaining attempt will timeout after 15 seconds. If the computer’s Intermediate Certification Authorities store contains multiple cross-signed certificates the CAPI-calling application will wait until all chaining attempts have succeeded or timed out. This can cause the application to pause for extremely long periods or produce odd errors.
Example
A laptop connecting via a modem using the Cisco VPN client will take ~14 minutes to call the modem dialer or produce the following error:
Secure VPN Connection terminated locally by the Client.
Reason 415: A required component PPPTool.exe is not present among the installed client software.
Connection terminated on: <date> Duration: <value>
Multiple errors are found within the CAPI2 event log. (to enable the CAPI2 eventlog start Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log). The CAPI chaining engine cannot reach the URL because the system is unable to communicate to the Internet. Note that the “ProcessName” is cvpnd.exe which is the Cisco VPN service.
|
|
- |
System |
|
|
|
- |
Provider |
|
|
|
[ Name] |
Microsoft-Windows-CAPI2 |
|
|
|
[ Guid] |
{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} |
|
|
|
EventID |
24 |
|
|
Channel |
Microsoft-Windows-CAPI2/Operational |
|
|
<information removed> |
|
|
|
- |
Security |
|
|
[ UserID] |
S-1-5-18 |
|
|
- |
UserData |
|
|
- |
CertCrossCertUrlRetrievalWire |
|
|
- |
SourceCertificate |
|
|
[ fileRef] |
036D9D52108707CFDCE6AD6AB62DDDBCD5E7D67C.cer |
|
|
[ subjectName] |
EntrustCA |
|
|
SyncDeltaTime |
P7DT0H0M0S |
|
|
- |
URL |
ldap://fpkia.gsa.gov/cn=EntrustCA,o=National%20Aeronautics%20and%20Space%20Administration,
c=US?cACertificate;binary,crossCertificatePair;binary |
|
[ scheme] |
ldap |
|
|
- |
EventAuxInfo |
|
|
[ ProcessName] |
cvpnd.exe |
|
|
- |
CorrelationAuxInfo |
|
|
[ TaskId] |
{6CA192A2-1D32-416E-97E8-14A63F6F11D5} |
|
|
[ SeqNumber] |
236 |
|
|
- |
Result |
This operation returned because the timeout period expired. |
|
|
[ value] |
5B4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: The Cisco VPN client software requires the following certificate in the computer’s Trusted Root Certification Authorities store to establish a chain of trust (not included in the FDCC image, see Additional Information).
Version: 3
Serial Number: 01
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.4 md5RSA
Algorithm Parameters:
05 00
Issuer:
E=premium-server@thawte.com
CN=Thawte Premium Server CA
OU=Certification Services Division
O=Thawte Consulting cc
L=Cape Town
S=Western Cape
C=ZA
NotBefore: 7/31/1996 8:00 PM
NotAfter: 12/31/2020 7:59 PM
Subject:
E=premium-server@thawte.com
CN=Thawte Premium Server CA
OU=Certification Services Division
O=Thawte Consulting cc
L=Cape Town
S=Western Cape
C=ZA
Solutions
Method 1:
Microsoft is currently testing a hotfix to provide the ability to disable the cross-signed certificate chaining retrieval process. This hotfix is currently undergoing testing and is not publicly released. Microsoft Customers who have an Enterprise Agreement may obtain the hotfix through their Account Manager or Technical Account Manager (Premier contract holders). Reference number: KB Article Number(s): 955805
Method 2:
Enable the CAPI2 event log (Eventvwr -> Application and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational -> right click Enable Log) to determine which certificates the chaining engine cannot retrieve. Remove the certificate from the computer’s Intermediate Certification Authorities store.
Additional Information
FDCC settings disable Windows Updates ability to populate a computer’s Root Certification Authorities stores. FDCC compliant agencies will have to monitor and authorize certificates accordingly.
|
Policy Path |
Policy Setting Name |
FDCC Windows Vista |
FDCC Windows XP |
CCE Reference |
Registry Setting |
Description |
|
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings |
Turn off Automatic Root Certificates Update
|
Enabled
|
Enabled
|
CCE-858
|
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate |
Specifies whether to automatically update root certificates using the Windows Update Web site. Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. If you enable this setting, when you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities. If you disable or do not configure this setting, your computer will contact the Windows Update Web site.
|
References
· Certificates needed by Windows platforms: http://support.microsoft.com/kb/293781
· FDCC version 1.0 settings: http://nvd.nist.gov/fdcc/FDCC-Settings-major-version-1.0.xls
· Microsoft Root Certificate Program: http://support.microsoft.com/kb/931125
· Deploying Certificates via Group Policy: http://technet.microsoft.com/en-us/library/cc770315.aspx
· RFC3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile : http://www.ietf.org/rfc/rfc3280.txt