SOLVED

Disable Certificate revocation list check when starting applications in Windows server

Copper Contributor

Since the Windows servers (2016) we are using don't have internet access, it would take very long time (10-30secs ) to open an application (Putty, Notepad++, Word, Excel, Adobe PDF reader and so on). Once the application is launched, the subsequent launching would be very fast (1-3 sec). But the long delay opening application will happen again after some time (1-2 days). As I investigate, it's likely to be related to CRL check on the code-signed applications. I flush dns cache and then launch the application, for example, notepad++, I got the dns cache indicating the server was trying to contact crl3.digicert.com or ocsp.digicert.com. Even I unchecked the Check for publisher's certificate revocation option under Control Panel -> Internet Options -> Advanced -> security, it remained the same. I traced the DNS local cache, it is still trying to reach the CRL sites to verify the certificates. I am at a loss now, can anyone help please? Thanks.

4 Replies
You could try stopping and disabling the "Cryptographic Services" service, but this could have some other effects...

thanks @Harm_Veenstra It looks like it's related to XDR on the server.

best response confirmed by HotheadedLemon (Copper Contributor)
Solution
yes, it's Palo Alto's cortex XDR. I found that it kept checking application publisher's certificate by reaching out to CRL, since there's no internet access, it would fail and cause the delay in opening the application. I manually disabled XDR on the test server, and the delay never happened again.
1 best response

Accepted Solutions
best response confirmed by HotheadedLemon (Copper Contributor)
Solution
yes, it's Palo Alto's cortex XDR. I found that it kept checking application publisher's certificate by reaching out to CRL, since there's no internet access, it would fail and cause the delay in opening the application. I manually disabled XDR on the test server, and the delay never happened again.

View solution in original post