WCF Certificates and CA Signed Certificate Processing Delays.

Posted on 2014-08-07
Last Modified: 2014-09-15
Hi all,

I am curious and maybe somebody can help shed some light or be able to make a suggestion.

I have a web service that does mutual authentication and it seems to take over a minute on a complete round trip.

We have tried with self-signed certificates and it's taking, at most, like 20 seconds for a complete round trip; I would say average is about 7 seconds.

Now, we utilize a CA signed certificate and the process jumps to over a minute round trip.  1:09 seconds average.

For CA's certificates we are putting them in the MY store (i.e. Personal Store) on a computer level. The CA that issued the certificate is in the trusted root.

Then right after it goes to a matter of seconds on each attempt. Then if you wait like 30 minutes and try again it will take over a minute.

What could cause such a dramatic delay and is there anything that can be done about it?  Especially for the first time in many minutes?

Any information would be greatly appreciated.
Question by:davism
    LVL 19

    Accepted Solution

    Your certificate is probably setup to check against an external server.

    When a third-party revocation provider supporting OCSP has been registered, an OCSP responder will be used for certificate status checking; in this case, the process is slightly modified.
    Verify that the response indicates the certificate is valid. A valid response indicates that the certificate has not been revoked.

    Verify the signature on the OCSP response. This activity includes developing and processing a path that establishes that the certificate issuer or a trust point trusted the responder for the express purpose of issuing responses.

    Neither Windows XP nor Windows 2000 contains an OCSP client component by default. However, a third-party OCSP client can be installed as a revocation provider to CryptoAPI. OCSP responders can be located by using the AIA extension in the certificate as defined by RFC 2459. The Windows Server 2003 CA supports the OCSP responder location to be included in the AIA extension of certificates. Multiple revocation providers can be added to CryptoAPI depending on revocation requirements. For additional information about revocation providers, see the Platform SDK on MSDN.
    No matter what process is used to verify certificate validity, if the status check fails any of the above checks for any certificate in the certificate chain, the certificate chain will be rejected.

    As a result, it goes out on the wire to check every time it's used.
    LVL 1

    Author Comment

    Sorry, I should have clarified, this web service is being run on a Windows 2008 R2 Server under IIS 7.5.

    That said would this still apply and is there any way of stopping the check? And it is a good idea to stop the check?
    LVL 19

    Expert Comment

    by:Daniel Van Der Werken
    I would think that stopping the check is a good idea. You would need to confirm that my supposition is in fact what's happening first. The server and version of IIS shouldn't matter.
    LVL 1

    Author Comment

    Help me understand. How is that a good idea to bypass the CRL check? Would one not want to know about a cert revocation?
    LVL 1

    Author Closing Comment

    The issue was related to the certificate revocation checking.

    Thanks for the information and greatly appreciated.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Here I am going to explain creating proxies at runtime for WCF Service. So basically we use to generate proxies using Add Service Reference and then giving the Url of the WCF service then generate proxy files at client side. Ok, what if something ge…
    It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now