Renew appliance certificate on the Edge Secure Web Gateway (formerly ProxySG)
search cancel

Renew appliance certificate on the Edge Secure Web Gateway (formerly ProxySG)

book

Article ID: 168179

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

Edge Secure Web Gateway (formerly ProxySG)/Advanced Secure Gateway (ASG) appliances come with a cryptographic key that allows the system to be authenticated as a Edge Secure Web Gateway (formerly ProxySG)/ASG appliance when an appliance certificate is obtained. Symantec services that are hosted on the Internet, such as Intelligence Services, use the appliance certificate to authenticate the appliance. The appliance certificate is also known as the birth certificate and appliance-key keyring.

The certificate is an X.509 certificate that contains the serial number of a specific Edge Secure Web Gateway (formerly ProxySG)/ASG appliance as the CommonName (CN) in the subject field. Symantec services use the serial number to authenticate the appliance and extract information from the certificate to use as the device ID.

Symantec runs an Internet-accessible Certificate Authority (CA) that issues appliance certificates. SGOS automatically trusts the root certificate of the Symantec CA for device authentication. These Symantec-signed certificates contain no authorization information and are valid for five years.

The Edge Secure Web Gateway (formerly ProxySG)/ASG appliance does not alert you when the appliance certificate is about to expire or has expired, so it is a good practice to periodically check the expiration date of the appliance certificate. See the Resolution section below for details. If the appliance certificate expires, some operations such as database downloads for subscription services and SSLV offload might fail.

Resolution

To verify the expiration date of the certificate, issue the following command and check the date for "Certificate valid to":

#(config)show ssl keyring appliance-key
Keyring ID:               appliance-key
Private key showability:  no-show
Signing request:          present
Certificate:              present
Certificate subject:      /C=US/ST=California/O=Blue Coat Systems, Inc./OU=Blue Coat SGVA Series/CN=<serial_number>
Certificate issuer:       /C=US/ST=California/L=San Jose/O=Broadcom Inc./OU=ABRCA/CN=Virtual Appliance Birth Certificate Intermediate CA
Certificate valid from:   Feb 24 08:33:40 2021 GMT
Certificate valid to:     Feb 25 16:33:40 2026 GMT
Certificate thumbprint:   89:D2:C9:19:58:05:B5:2B:A2:CC:5C:49:FE:DC:DD:F5
...

If the appliance certificate is expired or will expire soon, download the appliance certificate to the Edge Secure Web Gateway (formerly ProxySG)/ASG appliance again. The appliance must be connected to the Internet and be able to access abrca.bluecoat.com (Symantec certificate authority server).

Note: If you have recently renewed the 'appliance' certificate but you still see the Proxy using old (cached) certificate then you may have to reboot the Proxy so that it will start using the newly downloaded 'appliance' certificate. In some cases, turning OFF/ON Content filtering may also help but reboot should always work.


Edge Secure Web Gateway (formerly ProxySG) and ASG hardware appliances - automatic renewal

When a hardware appliance reboots, it checks the expiration date of the appliance certificate. If the certificate is expired or will expire within 180 days, and the appliance can connect to the Symantec server, the appliance attempts to download the certificate automatically (with no user intervention). If the appliance does not have a certificate, it attempts to get one on every boot.

If the appliance establishes an Internet connection more than five minutes after the system is booted, you might have to complete the following manual steps.


Edge Secure Web Gateway (formerly ProxySG) and ASG hardware appliances - manual renewal

Use one of the following methods to renew the certificate.

Method 1: Request the appliance certificate from Symantec servers (Only for Java Management Console)

Request the appliance certificate:

  1. In the Management Console, select Configuration > SSL > Appliance Certificates(On ASG, select the Proxy tab first.)
  2. On the Request Certificate tab, select Request Appliance Certificate.
  3. On the Confirm Request prompt, select OK.

The Symantec CA server does validation checks and signs the certificate. The certificate is automatically included in the appliance-key keyring.

Note: The appliance-key keyring cannot be backed up. The keyring will be re-created if it is missing at boot time.

Method 2: Request the appliance certificate from Symantec servers (CLI)

Request the appliance certificate:

  1. SSH to the appliance.
  2. Enter the following commands:

    # enable
    # config t
    #(config) ssl
    #(config ssl) request-appliance-certificate

This will renew the certificate of the appliance-key for five more years. Issue the command show ssl keyring appliance-key from the same sub-menu to verify the certificate was renewed.

 

Method 3: Create a CSR and import the certificate (If the appliance does not have access to abrca.bluecoat.com)

Create the certificate signing request:

  1. In the Management Console, select Configuration > SSL > Appliance Certificates(On ASG, select the Proxy tab first.)
  2. On the Request Certificate tab, select Create CSR.
  3. On the Appliance Certificate Signing Request dialog, select and copy the entire contents in the text field. 
  4. Paste the contents into a text file. Include the Certificate Request and the CSR Signature
  5. Go to the abrca.broadcom.com link on the Appliance Certificate Signing Request dialog, and then log in to the support portal if prompted.
  6. On the Symantec - ABRCA Manual Signing Form webpage, copy and paste the Certificate Request and the CSR Signature into the respective fields. Make sure to include the -----BEGIN ----- and ----- END ----- statements.
  7. On the webpage, select Generate Certificate. The webpage displays the appliance certificate.
  8. Copy the entire certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- statements.

Import the certificate:

  1. Select SSL > Keyrings > Device Profiles to determine which keyring is associated with the bluecoat-appliance-certificate profile. 
  2. Select SSL > Keyrings > Keyrings, select the keyring identified in the previous step (usually appliance-key), and select Edit.
  3. In the Edit Keyring dialog, in the Certificate section, select Import.
  4. In the Import Certificate dialog, select Paste from Clipboard
  5. After the certificate contents are pasted in the text field, select OK.

This method renews the certificate for five years after the current date; verify that the Certificate expiry column shows the updated expiration date.


Troubleshooting certificate renewal on a hardware appliance

If downloading from host abrca.bluecoat.com fails and a PCAP shows 002 Signature Verification Failed instead of HTTP 200 OK, perform the following steps:

  1. In the Management Console, select Configuration > SSL > Keyrings.
  2. On the Keyrings tab, select the appliance-key and click Edit.
  3. On the Edit Keyring dialog, delete the content in the Certificate Signing Request section, and apply changes. This refreshes the incorrect CSR signature.
  4. Manually or automatically download the certificate again.

Edge Secure Web Gateway (formerly ProxySG) virtual appliances - manual renewal 

To get a new appliance certificate on a virtual appliance, you must fetch a new license file. The certificate is included in the license file.

Issue the following CLI command:

#licensing request-key

The CLI prompts you to enter your credentials. When you download a new license file, the certificate is updated automatically if needed.

Note: If you issue the restore-defaults command, the appliance certificate is removed. After issuing the restore-defaults command, issue the #licensing request-key command to download the license again.