topic Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2 in General Topics

IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2025

_Val_ — Thu, 04 Sep 2025 09:03:49 GMT

Hi CheckMates!

This message is relevant only for customers using VPN Site-to-Site and Remote Access VPN Security Gateways using certificates issued by DigiCert External CA.

No action is required if DigiCert External CA is not deployed on your Security Gateways.

To check if your VPN/Remote Access Security Gateways use DigiCert External CA, follow these simple steps in the sk183884.

On September 8, 2025, DigiCert will stop supporting HTTP/1.0 for OCSP and CRL checks. Without upgrading protocol support, DigiCert certificate validation may fail, and will affect Site-to-Site and Remote Access VPNs on Check Point gateways.

To maintain VPN continuity, a tool has been provided to identify VPN/Remote Access gateways using the DigiCert External Certificate, followed by a hotfix update to be applied on the gateway, upgrading communication to HTTP 1.1.

All information regarding affected Security Gateways, using the discovery tool, and the hotfix is available here.

Support services are available for questions or assistance at https://www.checkpoint.com/support-services/contact-support/.

UPDATE: The SK now has all hotfixes you might need directly linked, as we al the scripts and verification steps to make sure you might need them

UPDATE 2: For those with outbound HTTPS Inspection, there is another SK available: https://support.checkpoint.com/results/sk/sk183887

UPDATE 3: DigiCert Certificate Expiration Mitigated

We are pleased to share that we have successfully mitigated the DigiCert certificate issue together with DigiCert’s engineering team. There is no need to urgently install a Hotfix on the Security Gateways.

Your Check Point Security Gateways using Site-to-Site VPN, Remote Access VPN, and Outbound HTTPS Inspection will continue to operate smoothly beyond the September 8, 2025 timeline, even without applying the hotfix in advance.

That said, our latest Jumbo Hotfix Accumulator changes the communication method from HTTP/1.0 to HTTP/1.1, ensuring long-term compatibility with all certificate authority services. We strongly recommend that you install it at your convenience. More details can be found here.

As always, we remain at your service and are here to support you with this or any other issue.

DigiCert HTTP 1.0 Deprecation sk183884

Scott_Paisley — Fri, 29 Aug 2025 14:02:02 GMT

We were just alerted to this which requires action in the next week. Looking at the SK it says the remediation for gateways is to open a ticket with support

Is there a better way?

Thanks

Re: DigiCert HTTP 1.0 Deprecation sk183884

_Val_ — Fri, 29 Aug 2025 14:20:57 GMT

The mentioned SK is still a work in progress. All required hotfixes and also a script to check whether you even need them should be available in the SK quite soon.

The better way is to wait till it is finalized and all tools to get everything under control are available there.

Re: DigiCert HTTP 1.0 Deprecation sk183884

Scott_Paisley — Fri, 29 Aug 2025 14:23:49 GMT

ok, thanks

Re: DigiCert HTTP 1.0 Deprecation sk183884

_Val_ — Fri, 29 Aug 2025 14:33:42 GMT

Once everything is in place, we will create a post and merge all related discussions

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

the_rock — Fri, 29 Aug 2025 15:48:05 GMT

Thanks for that Val.

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

Alex_Lewis — Fri, 29 Aug 2025 18:11:36 GMT

I contacted Digicert support, and this affects all Digicert brands, which include GeoTrust and RapidSSL. The discovery tool provided in the SK only checks for a string provide on the command line so it should be run three times for each CA string:

./DigiCert_CA_search.sh DigiCert
./DigiCert_CA_search.sh GeoTrust
./DigiCert_CA_search.sh RapidSSL

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

the_rock — Fri, 29 Aug 2025 18:25:06 GMT

Thanks for that @Alex_Lewis

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

PhoneBoy — Fri, 29 Aug 2025 20:38:58 GMT

While there may be some additional updates to the SK, including the script that tests whether a hotfix is needed, we now have patches that can be deployed on top of the most recent JHF for releases going back to R80.40 as well as updated firmware for Quantum Spark appliances.
This fix will be rolled into Jumbo Hotfixes also.

VPN Site-to-Site and Remote Access VPN Security Gateways using certificates issued by DigiCert

baby79 — Sat, 30 Aug 2025 02:24:04 GMT

how to check this via cli if firewalls have site to site and remote access and digicert. i only have 2 firewalls i am literally new to checkpoint and i wamt to check this manually i also dont have smart console.

Re: VPN Site-to-Site and Remote Access VPN Security Gateways using certificates issued by DigiCert

_Val_ — Sat, 30 Aug 2025 07:49:02 GMT

Read https://support.checkpoint.com/results/sk/sk183884, it has all the information you need.

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

Paul_Hagyard — Mon, 01 Sep 2025 00:41:21 GMT

The SK article is not that clear... I just posted the following under "was this page helpful":

"The SK article mentions a hotfix to fix issues with site-to-site VPNs or remote access VPNs with user certificates signed by Digicert, but it then discusses checking the GATEWAY certificate to see if it is signed by Digicert. Is the issue with VPN RAS user certs, gateway certs, or both?"

We have a customer using a Digicert certificate on the gateway side in conjunction with SAML for VPN RAS. In such a scenario it should only be the client doing OCSP/CRL checks, not the gateway. Endpoint Security simply trusts the site's CA certificate fingerprint (which always seemed inadequate), but with SAML the client launches a browser (OS now by default I think) to connect so THAT should handle the OCSP/CRL check.

It sounds like it should only be an issue for the gateway if it is doing checks itself - for site-to-site VPNs or with user certificates, correct?

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

the_rock — Mon, 01 Sep 2025 01:13:22 GMT

I believe those scripts mentioned should verify that.

Andy

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

Paul_Hagyard — Mon, 01 Sep 2025 02:37:11 GMT

Where are the scripts mentioned? Looking through sk183884 I can only see CLI commands like "enabled_blades"

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

the_rock — Mon, 01 Sep 2025 02:44:33 GMT

I believe ones @Alex_Lewis mentioned should be there. Hard to check it on my phone, but will have a look in a bit.

Andy

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

the_rock — Mon, 01 Sep 2025 03:26:26 GMT

You are 100% correct, my apologies. I could have sworn I saw one script mentioned on Friday, but guess must have been removed.

Andy

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

Thomas_Eichelbu — Mon, 01 Sep 2025 06:14:42 GMT

Hello Check Mates

what about Digicert Certificates which are used on portals?
like for Mobile Access blade or other platform portals?

do we face the same issue here?

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

Paul_Hagyard — Mon, 01 Sep 2025 07:02:05 GMT

It looks like it is when the gateway is doing the OCSP/CRL, so it should only apply:

Site-to-site VPNs where the remote party to the Check Point environment is using Digicert certificates (instead of PSK).
Remote access VPNs where the remote user is using Digicert certificates as part of the authentication.
Outbound HTTPS inspection.

So all other scenarios, such as Digicert certificates on gateway portals (server certificates) should not be an issue.

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

Hugo_vd_Kooij — Mon, 01 Sep 2025 12:18:57 GMT

I checked the Article on saterday and today (monday) but there is no script attached to the SK article.

As we need to put automation to work to go over our installed base we are in serious need of a way to avoiud many hours of work just to learn which customer are effected by this issue.

Re: IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2

the_rock — Mon, 01 Sep 2025 12:30:03 GMT

Im 100% positive there was a script there on Friday, August 29th, I saw it myself.