Certificate Revocation Lists – Slow Spin up times

What

Most Microsoft assemblies and DLLs are digitally signed. Each time signed assemblies are loaded, default system behaviour is to check with the owner of the root certificate that the cert with which the assembly was signed is still valid. In the case of Microsoft assemblies, this means “phoning home” to read the Certificate Revocation List at crl.microsoft.com .

Whilst this is all very well and good if you have an Internet connection, sometimes you don’t have this luxury. Many web servers, for instance, don’t have outbound Internet accessibility. The CRL check will attempt to connect to Microsoft’s servers and then timeout, usually within 30-60 seconds.

With SharePoint, you’ll get a lot of delays in this scenario. One way to check if your server is affected by this condition is to open up a SharePoint Management Console PowerShell window and run the “STSADM -help” command. If it takes 30 seconds or more to display the usage instructions, then you will be experiencing really slow server performance.

So What

You make the first request of the day, or the first request after recycling the app pool because you are developing assemblies that sit in the GAC.There is a delay of about 2 minutes
While you are waiting, and tearing your remaining hair out because you know you have to do this at least 50 times today, there is no CPU activity, swapping or significant network traffic.

After the timeout the assembly is still loaded and the software works as expected, though very slow every time a new signed assembly is loaded for the first time, which happens a lot. The worst thing is that no entries are written to the event log and no exceptions are thrown so you are left completely in the dark about why your application is so bloody slow.

Now What

Our esteemed vendor Jereon from Muhimbi has a great explanation here and some options for you: http://blog.muhimbi.com/2009/04/new-approach-to-solve-sharepoints.html

Joel as well, and he even includes a PowerShell that will run it all down for you.
http://joelblogs.co.uk/2011/09/20/certificate-revocation-list-check-and-sharepoint-2010-without-an-internet-connection/

..and finally a SharePointBlues post on a bevy of Certificate-related issues:
http://www.sharepointblues.com/2012/01/09/sharepoint-certificate-errors/

certificate revocation list, Performance, speed

Leave a Reply

Your email address will not be published. Required fields are marked *