WCF Certificates and CA Signed Certificate Processing Delays.

Hi all,

I am curious and maybe somebody can help shed some light or be able to make a suggestion.

I have a web service that does mutual authentication and it seems to take over a minute on a complete round trip.

We have tried with self-signed certificates and it's taking, at most, like 20 seconds for a complete round trip; I would say average is about 7 seconds.

Now, we utilize a CA signed certificate and the process jumps to over a minute round trip.  1:09 seconds average.

For CA's certificates we are putting them in the MY store (i.e. Personal Store) on a computer level. The CA that issued the certificate is in the trusted root.

Then right after it goes to a matter of seconds on each attempt. Then if you wait like 30 minutes and try again it will take over a minute.

What could cause such a dramatic delay and is there anything that can be done about it?  Especially for the first time in many minutes?

Any information would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel Van Der WerkenIndependent ConsultantCommented:
Your certificate is probably setup to check against an external server.

When a third-party revocation provider supporting OCSP has been registered, an OCSP responder will be used for certificate status checking; in this case, the process is slightly modified.
Verify that the response indicates the certificate is valid. A valid response indicates that the certificate has not been revoked.

Verify the signature on the OCSP response. This activity includes developing and processing a path that establishes that the certificate issuer or a trust point trusted the responder for the express purpose of issuing responses.

Neither Windows XP nor Windows 2000 contains an OCSP client component by default. However, a third-party OCSP client can be installed as a revocation provider to CryptoAPI. OCSP responders can be located by using the AIA extension in the certificate as defined by RFC 2459. The Windows Server 2003 CA supports the OCSP responder location to be included in the AIA extension of certificates. Multiple revocation providers can be added to CryptoAPI depending on revocation requirements. For additional information about revocation providers, see the Platform SDK on MSDN.
No matter what process is used to verify certificate validity, if the status check fails any of the above checks for any certificate in the certificate chain, the certificate chain will be rejected.

As a result, it goes out on the wire to check every time it's used.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davismAuthor Commented:
Sorry, I should have clarified, this web service is being run on a Windows 2008 R2 Server under IIS 7.5.

That said would this still apply and is there any way of stopping the check? And it is a good idea to stop the check?
Daniel Van Der WerkenIndependent ConsultantCommented:
I would think that stopping the check is a good idea. You would need to confirm that my supposition is in fact what's happening first. The server and version of IIS shouldn't matter.
davismAuthor Commented:
Help me understand. How is that a good idea to bypass the CRL check? Would one not want to know about a cert revocation?
davismAuthor Commented:
The issue was related to the certificate revocation checking.

Thanks for the information and greatly appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.