topic Re: Certificate and CRL validation fails from March 1, 2026 in Firewall and Security Management

Certificate and CRL validation fails from March 1, 2026

simonemantovani — Mon, 02 Mar 2026 10:38:31 GMT

Hello

accidentally, for the firewall infrastructure of a customer we ran into the issue reported in following SK:

https://support.checkpoint.com/results/sk/sk184766#

For the specific customer we planned to install the suggested hotfix.

Hope it could be useful.

Re: Certificate and CRL validation fails from March 1, 2026

Steffen_Appel — Mon, 02 Mar 2026 11:03:22 GMT

We ran into this bug too, the hotfix worked for us. It seems (by the workaround in the SK), that CP added an extra day (incorrect leap year) into the calculation.

Re: Certificate and CRL validation fails from March 1, 2026

_Val_ — Mon, 02 Mar 2026 11:36:03 GMT

Please follow the Sk instruction. There is a workaround that can be applied right away.

Also, it is important to say that the issue mentioned in the SK is limited and may only happen with R82 and R82.10 versions.

Re: Certificate and CRL validation fails from March 1, 2026

Steffen_Appel — Mon, 02 Mar 2026 12:12:33 GMT

Limited to specific versions yes, limited in the effect no. We had several hundred of remote workers, who could not connect.

Re: Certificate and CRL validation fails from March 1, 2026

_Val_ — Mon, 02 Mar 2026 12:33:34 GMT

@Steffen_Appel I think you misread my comment.

Just to be clear, "limited" means it does not happen to every GW or a user. S2S VPN tunners are affected only if X509 certs are in use. Users are affected only if cert-based auth is used. An additional limitation is about new certificates or newly generated CRLs.

That said, yes, if you are affected, it can be painful.

I want to assure you and everybody else that we are working on fixing the issue as soon as possible. The workaround mentioned in the SK is also very effective and does not require an HF installation, to buy you time for HF installation.

Please do not hesitate to reach out to TAC if you need any additional assistance.

Re: Certificate and CRL validation fails from March 1, 2026

Mattias_Jansson — Mon, 02 Mar 2026 13:43:40 GMT

Does the hotfix require a reboot?

Re: Certificate and CRL validation fails from March 1, 2026

AndrzejAdamczyk — Mon, 02 Mar 2026 13:53:51 GMT

Quite important information - does anybody can reply?

Re: Certificate and CRL validation fails from March 1, 2026

_Val_ — Mon, 02 Mar 2026 14:02:46 GMT

Hotfix yes, workaround - no

Re: Certificate and CRL validation fails from March 1, 2026

Steffen_Appel — Mon, 02 Mar 2026 14:16:54 GMT

As I wrote we installed the HF and it fixes the issue for us.

Re: Certificate and CRL validation fails from March 1, 2026

_Val_ — Mon, 02 Mar 2026 14:40:28 GMT

Happy to hear that

Re: Certificate and CRL validation fails from March 1, 2026

Robert_Yohn — Mon, 02 Mar 2026 15:18:58 GMT

Does the HF install on MDS require a reboot?

Re: Certificate and CRL validation fails from March 1, 2026

HeikoAnkenbrand — Mon, 02 Mar 2026 15:21:18 GMT

February 29 is a leap day that occurs only every four years in the Gregorian calendar to compensate for the difference between the calendar year and the solar year.

The year 2026 is not a leap year; the next February 29 will be in 2028.

If you take a closer look at the firewall code in R82, you will see that there is a small programming error. As a result, the certificates were no longer valid from March 1 onwards 😉

Re: Certificate and CRL validation fails from March 1, 2026

Steffen_Appel — Mon, 02 Mar 2026 15:37:13 GMT

That was my thought is morning (see above) 🙂

Re: Certificate and CRL validation fails from March 1, 2026

Alex_Lewis — Mon, 02 Mar 2026 16:02:59 GMT

In my case, after installing the hotfix Gaia Software Updates can no longer access the Check Point Download Center.

Cannot establish connection with the Check Point cloud. Connection Error, FDT - Unexpected error code. Make sure that 1. Proxy, DNS and routing are configured properly. 2. Firewall does not block traffic originating from this machine to Check Point servers (checkpoint.com and akamaitechnologies.com over HTTP and HTTPS).

Re: Certificate and CRL validation fails from March 1, 2026

Steffen_Appel — Mon, 02 Mar 2026 16:13:53 GMT

@Alex_Lewis I can confirm the issue.

Re: Certificate and CRL validation fails from March 1, 2026

Hugo_vd_Kooij — Mon, 02 Mar 2026 16:45:57 GMT

URGENT WARNING!

While the article seems to indicate this only applies to R82 gateways and above the only thing needed is a R82 or above management.

I just fixed a VPN issue where the customer runs R82 MDS with R81.20 gateways and R81.10 spark applances.

The VPN certificate expire date/time was March 3, 2026 13:44 and today (March 2) at exactly 13:44 the VPN went down.

Applied the workaround from the SK and did a renewal after that to resolve the issue.

The error on the Spark appliance was an "internal error" which I tried to solve based on https://support.checkpoint.com/results/sk/sk170141 but then I verified the exact time when the outage began and it was exactly 24 before expiration.

So I urge everyone to considere all gateways regardless of the version as impacted by this SK if your Management system is on R82 or above.

And the certificate was issued in 2021.

Re: Certificate and CRL validation fails from March 1, 2026

RemoteUser — Mon, 02 Mar 2026 21:07:13 GMT

So I have to install the fix on all gateways that I have r82 and above?

Re: Certificate and CRL validation fails from March 1, 2026

hvf3000 — Tue, 03 Mar 2026 02:07:59 GMT

@Alex_Lewis I am experiencing the same issue across multiple installations.

Re: Certificate and CRL validation fails from March 1, 2026

Steffen_Appel — Tue, 03 Mar 2026 06:19:13 GMT

yes you have and on the management

Re: Certificate and CRL validation fails from March 1, 2026

Steffen_Appel — Tue, 03 Mar 2026 06:49:27 GMT

The HF for the 3900 cannot be installed on a freshly installed GW with take 464.

Verification results

1 Errors | Installation is not allowed

Verification errors:

Installed hotfixes are missing from this package."