We ran into an issue recently after we deployed out production 2013 farm where users would experience long load times (30-90 sec) before a site would load. This was PER user– not first user of the day after recycle. We ran tests and used fiddler, and found out about the CRL checks it was doing.
We googled and tried various methods to stop the checks with registry changes, host file entries, etc. But the only thing that worked was a program called DigiCert Utility
Launch it, go to tools –> auto root update –> Select “Enable”
This resulted in sites loading in under 5 seconds (after first access of the day post-recycle)
Just wanted to throw that out there for everyone. It prevents/disables the server from checking the certificate revocation lists (which will time out after 30-60 seconds and then load the site.) In our case, we only have one frontend in a separate VLAN that is accessible through our firewall to the outside, others have no external access and this was jackin stuff up.