Very slow certificate verification on network-isolated EC2 instance – certificate revocation check?

I am setting up an environment where users use Windows EC2 instances that are configured without open-ended internet access, as described here:
https://repost.aws/knowledge-center/ec2-systems-manager-vpc-endpoints

I want to use WinSCP on those instances to enable users to easily transfer files to and from S3 (via VPC endpoint) through a graphical interface, using the instance profile temporary credentials; without internet access there's no AWS Console. I have not used WinSCP before.

When attempting to use WinSCP, connection and other operations can take a very long time, 30 seconds or more. I also frequently get this error dialog when attempting to connect:
Upon retry, it sometimes succeeds.

When I look at the debug log, I see the pause consistently happens during certificate validation, sometimes taking so long that the server closes the connection:
(See attachment for more, including an eventually successful connection)

I suspect that it has something to do with certificate revocation list checking attempting to happen and timing out, but don't know that for certain.

I have searched the internet and these forums for more information, including any instructions on how to disable those checks, fruitlessly. This thread is the closest but the -certificate option is not applicable to S3.

I have also tried disabling it at the Windows level, under Control Panel --> Internet Options --> Advanced, as described in this post.

Is there any way that I can avoid these delays?

Version: WinSCP-6.5.6
OS: Windows Server 2022
GUI: Explorer interface

I will state first, see if Martin comes up with anything.

I could be a bit off, as using GitHub IDE is not the greatest, but it looks like WinSCP is using Windows Certificate Store for the validation during S3. I don't see how its a revocation list problem as the successful connection's start "Verifying certificate" > end "Certificate for matches" statements are immediate as they should be. Something with the store verification of the certs seems to be going weird and slowing down but then immediate at other times.

@Guest: After troubleshooting for a while with LLM assistance here's what I've figured out so far.
During the hangs, the instance is trying to connect to:

• ctldl.windowsupdate.com, to refresh root certificates and/or check certificate transparency logs?
  
• crt.r2m04.amazontrust.com to download the intermediate certificate

Setting these registry keys has eliminated the hangs for me:
I am now getting a certificate warning for s3.amazonaws.com on a fresh instance which I had forgotten about when starting this thread, which I'm trying to troubleshoot now. The EC2 instance does have the Amazon Root certificates in its store by default, but not the intermediate. Claude thinks: "Your AIA call to crt.r2m04.amazontrust.com means WinSCP's Windows-store verification path isn't using the handshake-supplied intermediate — it's handing CryptoAPI only the leaf, so CryptoAPI goes looking for the issuer." I might be able to preload the intermediate CAs onto the instance as a workaround.

Idk, I find AI is wrong to the point I only use it to know what it's not. It's good you were able to get one thing solved from that but, at the same time, those hangs should ultimately be from something else as it shouldn't be happening – it's not worthwhile to have something that often hangs. To me, the AI is incorrect, but certainly is a way.

Should really be something else going on imo. Ideally, WinSCP or Windows cert store would find a way to avoid the slowdowns. It could be a bug in something. Hard to say. :)

@mkfmnn: Thanks for sharing your solution.