This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 7.000000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEZ%3C/text%3E%3C/svg%3E)
Hello all.
I have signed my applications with a Code Signing Certificate for a long time. Still, since the last renew (SHA256), I noticed every time I start my application a request to the corresponding CRL (certificate revocation list) is made.
Nothing strange but this leads to several timeouts before the application is ready because typically it's installed on servers without internet access (I know: I could disable the check, black-hole it in hosts file, ...)
With another certificate (older, SHA1) the application starts immediately, and no requests is made to CRL
I didn't found any documentation about differences in CRL with different types of certificates...
Someone is so kind as to know some behaviour differences between the two cases?
Thanks.
Enrico
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Enrico Zogno ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
Hello @Enrico Zogno ,
Thank you for posting here.
To better understand our question, please confirm the information below:
1.Do you mean the same application on the same machine or the same application on different machine?
2.Are the last renew (SHA256) and another certificate (older, SHA1) issued by the same CA server or different CAs servers?
3.If the CA issued last renew (SHA256) is your internal CA server or third-part CA server?
4.If the CA issued another certificate (older, SHA1) is your internal CA server or third-part CA server?
5.We can check what kind CRL we can see about the two certificates (ldap,http or file) ?
For example:
6.We can check if we can access the CRL locations in step 5.
Best Regards,
Daisy Zhou
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
It seems that the application needs internet connection to check the one of the CRL URL mentioned on new certificate. When you install the new certificate , the application needs to check CRL to validate new certificate, then it will be kept in the cache.
The application start immediately with the old certificate SHA1, because it has already t in the cache.
Please don't forget to mark this reply as answer if it help you to fix your issue
Hello @Enrico Zogno ,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou