Prevent OCSP and CRL Check Failures After DigiCert Ends HTTP/1.0 Support
DigiCert ends support for HTTP/1.0 connections on September 22, 2025. For more information, see the DigiCert change log.
Skyhigh Web Gateway versions earlier than 12.2.20 (on-premises only) use HTTP/1.0 for Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) requests. Hence, these versions are directly impacted by DigiCert HTTP/1.0 deprecation. To avoid the impact, Skyhigh recommends upgrading Skyhigh Web Gateway to version 12.2.20.
When traffic flows directly from the first proxy (SWG) to the web, it affects the environment as the connection uses HTTP/1.0. However, if the traffic is forwarded to a Next Hop Proxy (NHP) and the NHP upgrades the connection to HTTP/1.1, the environment remains unaffected.
Impact
- Skyhigh Web Gateway does not detect whether a DigiCert-signed certificate is revoked, so it does not block revoked certificates.
- When Paranoid Certificate Chain Verification is enabled, Skyhigh Web Gateway blocks all requests that use DigiCert certificates.
Workaround for Paranoid Certificate Chain Verification
Bypass the Paranoid Certificate Chain Verification policy if the certificate chain contains DigiCert (along with certificates signed by Let's Encrypt). Modify the default Paranoid Certificate Chain Verification policy by adding the three new AND criteria shown below. No action is required if you have not enabled this policy.
NOTE: Support for Let’s Encrypt CRLs is provided in the SWG 12.2.20 release. After upgrading, we strongly recommend reverting the previously applied workaround to ensure proper CRL validation.
