Hello everybody, I'm encountering some issues with an Add-In in for Outlook. The dll file used is signed with a certificate from Thawte. At first this certificate wasn't listed at all, so I updated the Root certificates with rootsupd.exe. But as I start Outlook it takes more than 13000ms (according to eventlog) to load the Add-In. The OS is Win7, Outlook 2010 in an red environment without access to the internet. Hopefully s.o. can explain why it takes so long to validate the certified dll, since the correct certificate is listed in Trusted Root Certification Authorities. Best regards: Gunnar

the problem is that you do not have access to the Internet and the DLL is being validated. Just loading the certificate into the store does not prevent validation of the certificate chain of the DLL What is happening is time outs as the chaining engine attempts to validate the certificate used to sign the DLL Without Internet connectivity, this is expected behavior Brian

To verify this is the issue, run: certutil -verify -url fetch <certname.cer> ...from the same computer. If this command takes about the same amount of time to run then it's likely your issue. Like Brian said though...the only way to really fix it is to get an internet connection. If that's not always an option, you can disable CRL checking in Outlook. Check out this Certificate revocation list (CRL) verification - an application choice http://social.technet.microsoft.com/wiki/contents/articles/certificate-revocation-list-crl-verification-an-application-choice.aspx Which will give you a link for Outlook...specifically: Set consistent Outlook 2007 cryptography options for an organization http://technet.microsoft.com/en-us/library/cc179034(office.12).aspx I'm not sure if these settings have change any in 2010, but I'd start there. Also, I'm not 100% sure if it will be Outlook initiating the CRL verification or if it's the OS in this case (since it's a DLL). Either way, test this to see if it resolves your issue. I hope this helps!

Actually, looking at that again I'm not sure it will help. I don't know if you can disable CRL checking...just set whether you get a warning or an error. Internet access or disabling this add-in might be your only option. You could download the CRL and install it in the cert store...but you'd have to do this every time the CRL expires...which is typically once a week.

Hello Brian, hello Sean thanks for your kind support. Brian, I thought it would have something to do with Windows trying to recheck the certificate. But as it's not nescessary I just had to deactivate this option. Sean: Thanks for mentioning the mechanism of CRL. It can be disabled in the advanced settings tab of IE Internetoptions, called Check for publishers certificate revocation. I turned it off via GPO, now Outlook starts fast and smooth. App-in loads in 150ms. Thank you very much for leading the way to this solution! Greetings Gunnar