Windows – Can Windows log CryptoAPI CRL timouts

certificatecrlencryptionwindows

I suspect that the process of building the CRL cache may cause latency in some applications.

We have several .NET applications that occasionally "act slow" with no CPU or disk access. I suspect that they are hung up on authentication when trying to validate the certificate, since the timeout is almost 20 seconds.

As per this MSFT article

Most applications do not specify to CryptoAPI to use a cumulative
time-out. If the cumulative time-out option is not enabled, CryptoAPI
uses the CryptoAPI default setting which is a time-out of 15 seconds
per URL. If the cumulative time-out option specified by the
application, then CryptoAPI will use a default setting of 20 seconds
as the cumulative timeout. The first URL receives a maximum timeout of
10 seconds. Each subsequent URL timeout is half of the remaining
balance in the cumulative timeout value.

Since this is a service, how can I detect and log CryptoAPI hangs for applications I have sourcecode to, and also 3rd party

Best Answer

One way to get more information on this is to enable the CAPI2 eventlog

Open Eventvwr -> Application and Services Logs ->
Microsoft -> Windows -> CAPI2 -> Operational ->
Right click Enable Log

The information that appears in the event log will assist in determining where the certificate validation process is taking a long period of time.

To Enable Logging

  wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true

To save the log to a file

 wevtutil.exe epl Microsoft-Windows-CAPI2/Operational filename.elf

To disable logging

 wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false

To clear logs

 wevtutil.exe cl Microsoft-Windows-CAPI2/Operational

Best Answer

Related Solutions

Windows – How to find what process is holding a file open in Windows

Windows – Reset local Certificate Revocation List (CRL) manual

Related Topic