SSMS Tips and Tricks 7-8: Starting faster by disabling CRL checking in constrained environments

SSMS Tips and Tricks 7-8: Starting faster by disabling CRL checking in constrained environments

If you have ever started SSMS in an isolated environment (ie: one with no external Internet connectivity), you’ll find that it’s slower to start.

That’s because SQL Server uses signed assemblies, and whenever an application with signed assemblies starts, it needs to check whether or not the certificate that they were signed with has been revoked. It’s not good enough to just check if it’s a valid certificate.

Certificates include a CRL (Certificate Revocation List) and this tells an application that’s trusting the certificate where to check for a list of revoked certificates.

The problem is that when you try to locate a server in an isolated environment, you might see a delay of around 40 seconds as the DNS timeout occurs.

If you have an environment like this, you might decide that it’s safe to turn off this revocation checking. That’s a call you need to make, and if in doubt or don’t understand the issues, leave it on.

I often run across this though as I have isolated virtual machines running in Hyper-V on my laptop. SSMS isn’t going to be able to look these details up, nor is any other application running within the virtual machine.

Turning this off is a registry setting but, depending upon the OS build, there are other ways to do it, such as:

  1. Control Panel –> Internet Options –> Advanced
  2. Scroll down to the Security section
  3. Uncheck the box next to “Check for publisher’s certificate revocation” Uncheck the box next to “Check for server certificate revocation” Uncheck the box next to “Check for signatures on downloaded programs”
  4. Click OK
  5. Restart your computer

You might also be able to do it via your browser security settings.

Keep in mind that if you disable this, it applies to all checking of certificates on the machine. As I said, if in doubt, don’t do it.

2025-09-28