This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Val_
Admin
Admin
Friday
Jump to solution

IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2025

Hi CheckMates!

This message is relevant only for customers using VPN Site-to-Site and Remote Access VPN Security Gateways using certificates issued by DigiCert External CA.

No action is required if DigiCert External CA is not deployed on your Security Gateways. 

To check if your VPN/Remote Access Security Gateways use DigiCert External CA, follow these simple steps in the sk183884.

On September 8, 2025, DigiCert will stop supporting HTTP/1.0 for OCSP and CRL checks. Without upgrading protocol support, DigiCert certificate validation may fail, and will affect Site-to-Site and Remote Access VPNs on Check Point gateways.

To maintain VPN continuity, a tool has been provided to identify VPN/Remote Access gateways using the DigiCert External Certificate, followed by a hotfix update to be applied on the gateway, upgrading communication to HTTP 1.1.

All information regarding affected Security Gateways, using the discovery tool, and the hotfix is available here.

Support services are available for questions or assistance at https://www.checkpoint.com/support-services/contact-support/.

UPDATEThe SK now has all hotfixes you might need directly linked, as we al the scripts and verification steps to make sure you might need them

UPDATE 2: For those with outbound HTTPS Inspection, there is another SK available: https://support.checkpoint.com/results/sk/sk183887

UPDATE 3: DigiCert Certificate Expiration Mitigated  

We are pleased to share that we have successfully mitigated the DigiCert certificate issue together with DigiCert’s engineering team. There is no need to urgently install a Hotfix on the Security Gateways.  

 

Your Check Point Security Gateways using Site-to-Site VPN, Remote Access VPN, and Outbound HTTPS Inspection will continue to operate smoothly beyond the September 8, 2025 timeline, even without applying the hotfix in advance.

 

That said, our latest Jumbo Hotfix Accumulator changes the communication method from HTTP/1.0 to HTTP/1.1, ensuring long-term compatibility with all certificate authority services. We strongly recommend that you install it at your convenience. More details can be found here.

 

As always, we remain at your service and are here to support you with this or any other issue.

 

(1)
41 Replies
the_rock
Legend
Legend
Monday
In response to Alex-
Jump to solution

Nm, I see its part of jumbo 181 for R81.10. Released today, September 1st. I checked jumbo 39 for R82, no mention there or anything for R81.20 yet.

Andy

0 Kudos
MatanYanay
Employee
Employee
Monday
In response to the_rock
Jump to solution

Hi all 

Just to be clear, the fix plan is to be part of all our upcoming jubmos

as mention it was already released in R81_10_jumbo_hf_main take 181  

and will be part of the next R81.20 and R82 jumbos 

Thanks 

Matan.

the_rock
Legend
Legend
Monday
In response to MatanYanay
Jump to solution

Thanks for clarifying that Matan!

Andy

0 Kudos
Ben_Dunkley
Contributor
yesterday
In response to the_rock
Jump to solution

Just adding for completeness:

R82 jhf 41 and R81.20 jhf 115 were released yesterday (3rd Sept) with the fixes included.

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Ben_Dunkley
Jump to solution

Correct, already installed them in the lab.

Andy

0 Kudos
796570686578
Collaborator
Tuesday
Jump to solution

FYI everyone:

It doesnt seem to be mentioned in the SK yet but I got confirmation from Check Point Support that the SAML portal and MAB portal are not affected by this issue even if you are using the DigiCert signed certificate.

philipp_98
Explorer
Tuesday
In response to 796570686578
Jump to solution

we got the same feedback from CP support

0 Kudos
the_rock
Legend
Legend
Tuesday
In response to philipp_98
Jump to solution

I also got that confirmation from our SE.

0 Kudos
Alex_Lewis
Contributor
Tuesday
Jump to solution

I'm curious why there isn't an update to the RA VPN client for this. Does the client not do OCSP/CRL checking, or is it getting OCSP/CRL status from the gateway, or is it already using HTTP/1.1 or HTTP/2?

Paul_Hagyard
Advisor
Tuesday
In response to Alex_Lewis
Jump to solution

If you are just doing straight VPN RAS connectivity (not SAML) then the first time you connect (unless you pre-populate the registry, which is what you do for a enterprise deployment) you get prompted to trust the fingerprint of the CA certificate for the CA that signed the gateway's VPN RAS certificate. So if you just use the SmartCenter issued gateway certificate you're trusting the ICA certificate, if you use an external CA you are trusting that. It doesn't use OCSP/CRL.

Things are a bit different with SAML because the VPN client uses a browser to make the connection so it can handle the IDP authentication - in this case the browser or OS certificate store needs to trust the gateway's certificate and it would use OCSP/CRL - but it is the browser doing it, not the VPN client itself. And browsers would have moved to a current protocol a long time ago.

Moti
Admin
Admin
yesterday
Jump to solution

 UPDATE - DigiCert Certificate Expiration Mitigated  

 

Hi CheckMates 

 

We are pleased to share that we have successfully mitigated the DigiCert certificate issue together with DigiCert’s engineering team. There is no need to urgently install a Hotfix on the Security Gateways.  

 

Your Check Point Security Gateways using Site-to-Site VPN, Remote Access VPN, and Outbound HTTPS Inspection will continue to operate smoothly beyond the September 8, 2025 timeline, even without applying the hotfix in advance.

 

That said, our latest Jumbo Hotfix Accumulator changes the communication method from HTTP/1.0 to HTTP/1.1, ensuring long-term compatibility with all certificate authority services. We strongly recommend that you install it at your convenience. More details can be found here.

 

As always, we remain at your service and are here to support you with this or any other issue.

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
yesterday
In response to Moti
Jump to solution

Hello Moti!

yes cool info, my critical question is:
At which date DigiCert published this change? 
Or when did Check Point got notice about this issue?

After unsettling all Check Point customers worldwide, finally all concerns are futile now?
Yes i know technical things are complicated and a thorough investigation is always required ...

but please ... 
Dont get me wrong i highly highly appreciate your pro active approach.
But we need to be careful with "near - catastrophic informations" like this ...

Digicert added the following notice

Digicert.png

https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-suppor...

so the issue is NOT entirely resolved, just delayed. Installing the hotfix is of course recommened!

best regards

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events