Issue

When accessing the administration tools in a disconnected environment where the computer running the XIA Configuration Client does not have internet access you may find that the administration tools user interface may be slow to load or respond.


Cause

The administration tools are digitally signed using a DigiCert certificate and this issue is seen when the computer running XIA Configuration Client cannot check the certificate revocation list (CRL) for the digital certificate.


Resolution 1 (Recommended)

Ensure that the computer running the XIA Configuration Client has internet access.


Resolution 2


NOTE: The following steps are for reference only. Please review the following Microsoft documentation and ensure you understand the risks and issues associated with changes to the security settings on Windows.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)

  • On a computer with internet access create a directory for example 
    C:\CTL

  • In a command prompt run the following command.
    certutil -syncWithWU C:\CTL

  • Download the DigiCert certificate revocation list (CRL) files to the CTL directory.
    http://crl3.digicert.com/sha2-assured-cs-g1.crl
    http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl

  • Once the certificates are downloaded copy the C:\CTL directory to the computer in the disconnected environment.

  • On the computer in the disconnected environment open regedit and set the following registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
    RootDirURL (REG_SZ)
    C:\CTL


  • Install the DigiCert certificate revocation list (CRL) files by either

    Right click the CRL files and select Install CRL

    - or -

    certutil -addstore CA C:\CTL\sha2-assured-cs-g1.crl
    certutil -addstore ROOT C:\CTL\sha2-assured-cs-g1.crl
    certutil -addstore CA C:\CTL\DigiCertAssuredIDRootCA.crl
    certutil -addstore ROOT C:\CTL\DigiCertAssuredIDRootCA.crl


NOTE: The trusted and untrusted CTLs can be updated on a daily basis, so ensure that you keep the files synchronized by using a scheduled task or another method.



Resolution 3

NOTE: This resolution is not recommended as this reduces security.


  • Go to Control Panel > Internet Options.

  • On the Advanced tab uncheck the Check for publisher's certificate revocation checkbox.


  • Click OK