Last week I learned a very interesting lesson. I am just in the end phase of a custom software delivery project. Using OLIVANOVA‘s model driven software development approach, I created a three-tier application with an ASP.NET client, a COM+ based server tier and MS SQL Server as the persistence layer. The COM+ application is deployed to a dedicated server along with the SQL Server database management system.
The ASP.NET application is created on another server that lives in a DMZ (demilitarized zone). This web server does not have access to the Internet from inside, but is accessible from outside of this company. A connection (HTTP) from the web-server to the database server is then responsible for communication between the user-interface and the server tier.
In general, everything worked just fine (as it usually does with this code generator). However, the page load and thus the overall performance of this web application was pretty bad. I then did some investigation and finally found out that code sign validation and certificate revocation and status checking could be a reason for such a poor user experience. This information is described in Remus Rusanu’s blog post. He basically says that if a web-server can open the URL crl.microsoft.com/pki/crl/products/CSPCA.crl then code signing is unlikely the issue.
I checked this URL on the database server first and the website opened just fine. However, the same test on the web-server was not successful (since it does not have access to the Internet at all from the inside) and so I decided to define these two general policy options (ChainUrlRetrievalTimeoutMilliseconds and ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds) in the registry of this computer. These two registry entries basically specify a timeout for accessing this public key infrastructure (PKI). The defaults for these timeouts are (if set to 0 or not present) 15 and 20 seconds. We initially set these values to 200 and 500 milliseconds.
Interestingly enough, after doing so, the performance of this web application increased dramatically and everything is back to normal.
Some more detailed information on this can be found in a MS TechNet article on Certificate Revocation and Status Checking.