Special Thanks to Tim Walton for Researching And Contributing This.

 

PROBLEM:

Slow response from custom SharePoint Application components may be happening because we are seeing a timeout going to the Certificate Revocation List.  As I understand the behavior is that we may wait for up to 45 seconds before .NET concludes that the CRL is unavailable.  This conclusion may then be cached for up to a minute before a fresh attempt is made to contact the CRL again.

 

 THEORY:

To verify that the certificate used to sign the .Net package hasn’t been revoked, .Net will attempt to download the Certificate Revocation Lists from both of these URL’s:
http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
If the .Net application cannot reach those end destinations then the .Net package assumes that an attempt to block verification has occurred and that the .Net packages signed by the certificates are not to be trusted.  End result, the .Net packages may run slowly.

 

PREFERRED RESOLUTION:
Allow the server and the services accounts to access the crl.microsoft.com domain.

RESOLUTION 2:
Turn off CRL checking by creating a turnoffCRL.reg file with this as the content:

Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Tru¬st
Providers\Software Publishing
"State"=dword:00023e00

Note that this would be considered to be compromising the integrity of the .Net signed packages stuff as we would have prevented any compromised certificates from being disabled automatically.

RESOLUTION 3:


Manually add the CRLs from the above Urls to the server manually (assumes you’ve downloaded Them locally first):
certutil -addstore CA CodeSignPCA.crl
certutil -addstore CA CodeSignPCA2.crl