Forum Discussion

HotheadedLemon's avatar
HotheadedLemon
Copper Contributor
Mar 25, 2022

Disable Certificate revocation list check when starting applications in Windows server

Since the Windows servers (2016) we are using don't have internet access, it would take very long time (10-30secs ) to open an application (Putty, Notepad++, Word, Excel, Adobe PDF reader and so on). Once the application is launched, the subsequent launching would be very fast (1-3 sec). But the long delay opening application will happen again after some time (1-2 days). As I investigate, it's likely to be related to CRL check on the code-signed applications. I flush dns cache and then launch the application, for example, notepad++, I got the dns cache indicating the server was trying to contact crl3.digicert.com or ocsp.digicert.com. Even I unchecked the Check for publisher's certificate revocation option under Control Panel -> Internet Options -> Advanced -> security, it remained the same. I traced the DNS local cache, it is still trying to reach the CRL sites to verify the certificates. I am at a loss now, can anyone help please? Thanks.

  • yes, it's Palo Alto's cortex XDR. I found that it kept checking application publisher's certificate by reaching out to CRL, since there's no internet access, it would fail and cause the delay in opening the application. I manually disabled XDR on the test server, and the delay never happened again.

Resources