Adding a post here for visibility on this issue:
When using the default configuration or using Client Setting _BESGather_Use_Https = 1, the License Update check fails if there is an SSL issue, and does not fail over to HTTP correctly.
The SSL certificate has an unknown CA.
In BigFix 9.5.11 or greater, if you use the default configuration to check for license updates or if you force the check in HTTPS (using Client Setting _BESGather_Use_Https = 1), it is required that the following Client setting is set on the BigFix Server system for the requests to complete successfully:
_BESGather_LicenseCertificateCommonName = gatherer.bigfix.com
At the same time, if you are in an AirGapped environment and you want to run the AirGap tool in HTTPS, you have to specify the following options:
BESAirgapTool.exe -usehttps -licenseCN gatherer.bigfix.com