This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Val_
Admin
Admin
Friday

IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2025

Hi CheckMates!

This message is relevant only for customers using VPN Site-to-Site and Remote Access VPN Security Gateways using certificates issued by DigiCert External CA.

No action is required if DigiCert External CA is not deployed on your Security Gateways. 

To check if your VPN/Remote Access Security Gateways use DigiCert External CA, follow these simple steps in the sk183884.

On September 8, 2025, DigiCert will stop supporting HTTP/1.0 for OCSP and CRL checks. Without upgrading protocol support, DigiCert certificate validation may fail, and will affect Site-to-Site and Remote Access VPNs on Check Point gateways.

To maintain VPN continuity, a tool has been provided to identify VPN/Remote Access gateways using the DigiCert External Certificate, followed by a hotfix update to be applied on the gateway, upgrading communication to HTTP 1.1.

All information regarding affected Security Gateways, using the discovery tool, and the hotfix is available here.

Support services are available for questions or assistance at https://www.checkpoint.com/support-services/contact-support/.

UPDATEThe SK now has all hotfixes you might need directly linked, as we al the scripts and verification steps to make sure you might need them

UPDATE 2: For those with outbound HTTPS Inspection, there is another SK available: https://support.checkpoint.com/results/sk/sk183887

 

(1)
37 Replies
the_rock
Legend
Legend
yesterday
In response to Alex-

Nm, I see its part of jumbo 181 for R81.10. Released today, September 1st. I checked jumbo 39 for R82, no mention there or anything for R81.20 yet.

Andy

0 Kudos
MatanYanay
Employee
Employee
yesterday
In response to the_rock

Hi all 

Just to be clear, the fix plan is to be part of all our upcoming jubmos

as mention it was already released in R81_10_jumbo_hf_main take 181  

and will be part of the next R81.20 and R82 jumbos 

Thanks 

Matan.

the_rock
Legend
Legend
yesterday
In response to MatanYanay

Thanks for clarifying that Matan!

Andy

0 Kudos
796570686578
Collaborator
19 hours ago

FYI everyone:

It doesnt seem to be mentioned in the SK yet but I got confirmation from Check Point Support that the SAML portal and MAB portal are not affected by this issue even if you are using the DigiCert signed certificate.

philipp_98
Explorer
18 hours ago
In response to 796570686578

we got the same feedback from CP support

0 Kudos
the_rock
Legend
Legend
14 hours ago
In response to philipp_98

I also got that confirmation from our SE.

0 Kudos
Alex_Lewis
Contributor
11 hours ago

I'm curious why there isn't an update to the RA VPN client for this. Does the client not do OCSP/CRL checking, or is it getting OCSP/CRL status from the gateway, or is it already using HTTP/1.1 or HTTP/2?

Paul_Hagyard
Advisor
6 hours ago
In response to Alex_Lewis

If you are just doing straight VPN RAS connectivity (not SAML) then the first time you connect (unless you pre-populate the registry, which is what you do for a enterprise deployment) you get prompted to trust the fingerprint of the CA certificate for the CA that signed the gateway's VPN RAS certificate. So if you just use the SmartCenter issued gateway certificate you're trusting the ICA certificate, if you use an external CA you are trusting that. It doesn't use OCSP/CRL.

Things are a bit different with SAML because the VPN client uses a browser to make the connection so it can handle the IDP authentication - in this case the browser or OS certificate store needs to trust the gateway's certificate and it would use OCSP/CRL - but it is the browser doing it, not the VPN client itself. And browsers would have moved to a current protocol a long time ago.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events