Reference the attached document below for a complete list of upgrades to the ProxySG and Advanced Secure Gateway (ASG) Trust package.
ProxySG and Advanced Secure Gateway (ASG) will be getting an upgrade to their Trust Package on November 6, 2020.
Note: Expired certificates remain included in the CA store and in the browser-trusted CCL. The expired certificates need to be manually removed from the browser-trusted CCL in order for third-party security analysis devices to not send warnings. The command "show security trust-package”, which lists CA store changes, will still list expired certificates that have been removed from the browser-trusted list.
Expired Certificates can stay in the trust package as long as a valid duplicate certificate is served when available. We are monitoring the trust package to ensure that only expired certificates without a duplicate certificate are left in the trust package.
Update the trust package by connecting to the CLI console via ssh and issuing the following commands:
You will see the following:
Downloading from "http://appliance.bluecoat.com/sgos/trust_package.bctp"
The trust package has been successfully downloaded.
Details can be found in the event-log which contains specific entries for certificate store and certificate list updates provided by the trust package.
If the trust package download url configured on the proxy is not "http://appliance.bluecoat.com/sgos/trust_package.bctp" then you can change it as follows: