self-signed SSL page slow to load

[Rearview]

I have created my own Certificate to install SSL for OWA 5.5 on my Windows 2000 Server. When I used my own Certificate to create my SSL site, accessing the site is very slow. It takes approximately 15-20 seconds for the authentication screen to pop up and then the logon screen for OWA loads. Once I'm logged on to OWA, it's screens load instantly and it runs fine.

If I install the certificate on, say my home machine, the SSL site loads very fast (just like if I had bought a verisign certificate or a similar trusted certificate). Is there a way to make my self-signed SSL site load quickly from a PC that has not added that certificate to it's trusted root authorities? I don't care if they have to click yes at the security warning page, as long as they don't have to wait 20 seconds.

Again, I'm running IIS 5 on a Windows 2000 server (using OWA 5.5, but that shouldn't matter, as it is slow for any web site I set up with my self-signed certificate)

 

[skotman]

Hope this points you in the right direction:

Use ASP to check and see if the cert exists, then let them in, else, redirect them to a page to install the cert.

I dont know the code as I've never had to do it.

Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[Rearview]

Is there no way aroudn making them install the certificate? My users aren't the brightest buch in the world. Like I said above, I don't care if they have to hit "yes" to a security warning because the site is not trusted by someone in their "root certificates" on their PC. I just don't want them to have to wait 20 seconds for the site to decide what to do.

 

[skotman]

Nope,
If your users can click yes, they can click ok to install the cert.
I think the steps are:
Open
Yes
Then reload the page (you can do this automatically)

Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[Rearview]

Actually, to install the certificate, they have to click "view certificate" on the page that comes up. Then they have to click "install certificate." This brings up the "Certificate Import Wizard." They cclick next, then they choose "Place certificates in the folowing store" and hit browse. They seem to have to choose "Trusted Root Certification Authorities" and they hit ok. Then they hit next, and after they hit "yes" on the initial securuty waring screen, it should have the certificate installed and not prompt them again. But, I really don't care if they are propted to say yes or no to the security warning, as long as it goes by fast.

I have bene to many other web sites where the certificate is not trusted by an authority I trust, but their warning loads almost instantly (no 20 second delay). There has to be some way around this delay...

 

[Rearview]

Any other ideas?

 

[skotman]

Can you give an example of one of those websites?

Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[Rearview]

look at

https://www.mhmrabv.org.

That brings up our web site using our self-signed SSL certificate. Like I've said above, it is perfectly fine if our users don't want to install the certificate on their home PCs (they can click to accept the certifiate each time they visit), but I don't want them to have to wait 15-20 seconds just to load the page.

An example of another site I know of that is self-signed, but the page loads quickly is

https://www.math.tamu.edu/

(they use linux, though)

Why won't mine load quickly?

 

[skotman]

I'm finding that both sites load slow.

Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[Rearview]

I just tried to access both. I had to wait 3 seconds for the math.tamu.edu site and 18 for mine (the mhmrabv.org site).

I'm almost certain it is a problem with Microsoft Certificate Server (or something to do with Certificate Server/IIS), but I cannot find any helpful information on this.

 

[CompsITguy]

I am having the same problem over here. Some people load fast and other hang up for about 30 seconds. Seems to be a common problems. But I am runnging Exchange 03 and Windows 03. I found a fix that may work for you. I'm on IIS 6 so it does not apply.

Try this KB 295070 from Microsoft it applies to IIS 5 and 4.

 

[Rearview]

I've been to that KB article. I tried revoking and recreating my certificate, after I unchecked LDAP and am only using HTTP as a distribution point. Still slow. this is frustrating.

 

[awayman]

We had trouble with Outlook Web Access because of using a self-generated certificate. Internet Explorer insists on verifying the cert back to the root Certificate Authority, so when we took our root CA offline (the subordinate CA was still online), the dialogue wouldn't open until the root CA check timed out. The cert still worked fine, we just had an annoying lag before it timed out.

You can check to see if this is your issue by using Netscape to log in; it doesn't do the hierarchy check that IE does, so there's no lag while waiting for the timeout. I'm pretty sure there's a Microsoft KB article on this somewhere, but it escapes me now.

If this is the problem, you'll need to make sure your web server can talk to your root CA. If you get the same lag time using Netscape, you can probably ignore this issue.

One more note-- We had this issue over a year ago; I don't know if the current IE version still has the same "bug" as the version we were dealing with then.

 

[Rearview]

I was checking this earlier today. It seems since I re-issued my certificate (telling it to only use HTTP as a distribution point) my page loads decently fast, except from inside my LAN. This is most likely some kind of routing problem on my end, and it is not overly important. (users can access OWA from our Intranet page if they are in the building).

I think disabling LDAP as a distribution point worked for me.