This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amir_Ayalon
Employee
Employee
‎2026-03-02 10:51 AM

Certificate and CRL validation fails from March 1, 2026

 Hi All

Please review SK184766 which might Impact your Spark Gateway.

https://support.checkpoint.com/results/sk/sk184766

i would like in addition to the SK, to answer some common questions

Cause

In R82 and R82.10, there is an error in the date calculation logic used during validation of:
  • X.509 certificates
  • Certificate Revocation Lists (CRLs)
Starting March 1, 2026, newly generated certificates and CRLs are evaluated as not yet valid because of incorrect calculation of the Not Before timestamp.

As a result:
  • Certificates and CRLs are considered valid only after up to 24 hours.
  • Any operation requiring immediate certificate or CRL validation fails during this period.
This issue is not related to the system clock, timezone, or NTP configuration.  

Symptoms

  • Starting March 1st, 2026, newly created certificates and newly generated CRL (Certificate Revocation List) may fail validation.

On Spark GW's - The issue may manifest as one or more of the following:  

 R82 Management that manage R82.00.xx Gateways:

  • VPN S2S which uses certificate based authentication - affected 
  • VPN S2S which does no use certificate - not affected
  • VPN RA - not affected 
  • SSL inspection - affected 
  • Blade update - not affected
  • License renewal - not affected
  • Threat Prevention updates - not affected
  • IDA authentication - (LADP over SSL , IDA Broker (probably not supported)) - affected 
  • SIC operations (new gateway deployment ) - affected 

R82 Management that manage R81.xx.xx Gateways :

  • within a few days to a week - SIC operations may fail. policy push may fail.

Locally managed GW's

       in addition to the above:

  • Clean install will fail.
  • Revert to previous firmware will fail.
  • upgrade to new firmware - not affected

Spark managed GW's

  • Not affected

Solution

CMM (Centrally manage)

  • R82 Mng that manage R82.xx.xx gateways
    • upgrade both you management and you gateway according to the SK.
  • R82 Mng that manage R81.xx.xx 
    • upgrade your management according to the SK.

If you choose not to install the Hotfix, a workaround is available below.

The WA should be applied on both the Mng and the GW.

LMM (Locally managed)

  • Upgrade your GW according to the SK. 
 

For Centrally Managed Appliances, this Hotfix must be installed on both Security Management and Quantum Spark Appliance.



If you choose not to install the Hotfix, the following workaround is available:
  • For Site-to-Site and Remote Access VPN failures, to avoid the problem

    On Quantum Spark Appliances:

    1. In Quantum Spark WebUI, go to Device tab > Advanced Settings > VPN Site to Site Global Settings
    2. Extend the value of “Grace period after CRL is no longer valid” and “Grace period before CRL is valid” properties to 93600 seconds.
    3. Install the policy on all Appliances participating in the VPN community.

    In addition to Advanced setting, CLI are also available:
  • set vpn site-to-site advanced-settings period-before-crl-valid 93600
  • set vpn site-to-site advanced-settings period-after-crl-not-valid 93600

0 Kudos
2 Replies
sx8n20394
Contributor
‎2026-03-06 05:06 PM

Does this affect HTTPS Categorization version of the SSL Inspection blade? We aren't using full SSL Inspection but are getting reports of issues with Teams calls. We see logs such as:

Log Example 1: Detect - OCSP response time obsolete. Response considered unreliable. Refer to sk159872 for more details. Certificate DN: 'config.teams.microsoft.com' Requested Server Name: config.teams.microsoft.com. See sk159872

Log Example 2: Description Block UDP/443 - Application Control - HTTP parsing error occurred (2) Resource config.teams.trafficmanager.net Reason Application Control - HTTP parsing error occurred (2)

0 Kudos
Amir_Ayalon
Employee
Employee
‎2026-03-06 05:29 PM
In response to sx8n20394

Yes, It might impact HTTPS Categorization. although It does not use Spark internal CA to re‑sign traffic, It does rely on the server’s certificate information.
It is recommended to upgrade to the latest firmware.

drop us an email if you still see issues after the upgrade. 
amiray@checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events