Renew the ProxySG Appliance Certificate

book

Article ID: 168179

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

ProxySG hardware appliances come with a cryptographic key that allows the system to be authenticated as a ProxySG appliance when an appliance certificate is obtained. It is used to authenticate the appliance against Symantec services hosted in the internet such as BCIS (Blue Coat Intelligence Services). The appliance certificates are not relevant in a virtual machine environment.

An appliance certificate is an X.509 certificate that contains the hardware serial number of a specific ProxySG as the CommonName (CN) in the subject field. This certificate then can be used to authenticate the ProxySG appliance with the hardware serial number listed in the certificate. Information from the presented certificate is extracted and used as the device ID.

Symantec runs an Internet-accessible CA for the purpose of issuing appliance certificates. The root certificate for the Symantec Certificate Authority (CA) is automatically trusted by SGOS for device authentication. These Symantec-signed certificates contain no authorization information and are valid for five years.

 

Resolution


On occasion the SG may need to have its Appliance Certificate downloaded again. This can be done in two ways.

Note: Both method requires the ProxySG to be connected to the internet to the CA server URL : abrca.bluecoat.com



1. Automatically obtained by the ProxySG 

The appliance attempts to get the certificate completely automatically (with no user intervention) if it can connect to the Symantec CA server at boot time or within the five minutes of being booted. If the appliance does not have a certificate (for example, it had one until you did a restore-defaults factory-defaults command), it attempts to get one on every boot. Once the appliance gets a certificate, that certificate is used until another restore-defaults factory-defaults command is issued. 

If Internet connectivity is established more than five minutes after the system is booted, you might need to manually complete the following steps.



2. Manually obtain an appliance certificate

A- via management console:

- Select the Configuration > SSL > Appliance Certificates > Request Certificate tab.
- Click Request appliance certificate.

The Symantec CA server does validation checks and signs the certificate. The certificate is automatically placed in the appliance-key keyring. Note that the appliance-key keyring cannot be backed up. The keyring will be re-created if it is missing at boot time.


B- via CLI prompt:

In the CLI, enter the following commands:

SG#config t
SG#(config)ssl
SG#(config ssl)request-appliance-certificate
SG#(config ssl)show ssl keyring appliance-key

This will renew the certificate of the appliance-key for five more years.

C- If this fails with 002 Signature Verification Failed rather than HTTP 200 in a PCAP over port 80 to abrca.bluecoat.com:

Go to Configuration>SSL>Keyrings>Appliance-key, edit, delete the CSR section on the bottom, and apply changes. This refreshes the incorrect CSR signature. Repeat the above instructions.